Skip to main content

HashiCorp Consul

32 CVEs infrastructure

Monthly

CVE-2024-10086 Go MEDIUM PATCH This Month

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS HashiCorp Consul
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-10006 Go MEDIUM PATCH This Month

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass HashiCorp Consul
NVD
CVSS 3.1
5.8
EPSS
0.5%
CVE-2024-10005 Go MEDIUM PATCH This Month

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal HashiCorp Consul
NVD
CVSS 3.1
5.8
EPSS
0.7%
CVE-2023-5332 HIGH POC PATCH This Week

Patch in third party library Consul requires 'enable-script-checks' to be set to False. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Gitlab Authentication Bypass HashiCorp Consul
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2023-3518 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2023-2816 Go MEDIUM PATCH This Month

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure HashiCorp Consul
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-1297 Go HIGH PATCH This Week

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service HashiCorp Consul
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-0845 Go MEDIUM PATCH This Month

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference HashiCorp Consul
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2022-3920 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp HashiCorp Consul
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-40716 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-29153 Go HIGH POC PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hashicorp HashiCorp Consul Fedora
NVD
CVSS 3.1
7.5
EPSS
8.7%
CVE-2022-24687 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure HashiCorp Consul
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-41805 HIGH This Week

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp Authentication Bypass HashiCorp Consul
NVD
CVSS 3.1
8.8
EPSS
34.8%
CVE-2021-38698 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2021-37219 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp HashiCorp Consul
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-36213 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-32574 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-28156 HIGH This Week

HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-3121 Go HIGH PATCH This Week

An issue was discovered in GoGo Protobuf before 1.3.2. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Protobuf HashiCorp Consul
NVD GitHub
CVSS 3.1
8.6
EPSS
3.5%
CVE-2020-28053 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-25201 Go HIGH PATCH This Week

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
2.6%
CVE-2020-13250 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
2.9%
CVE-2020-13170 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-12797 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
5.3
EPSS
1.6%
CVE-2020-12758 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-7955 Go MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-7219 Go HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2019-16377 Ruby CRITICAL POC PATCH Act Now

The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2019-12291 Go HIGH PATCH This Week

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.0
7.5
EPSS
1.2%
CVE-2019-9764 Go HIGH POC PATCH This Week

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.0
7.4
EPSS
0.6%
CVE-2019-8336 Go HIGH PATCH This Week

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp HashiCorp Consul
NVD GitHub
CVSS 3.0
8.1
EPSS
1.3%
CVE-2018-19653 Go MEDIUM PATCH This Month

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
CVSS 3.0
5.9
EPSS
1.2%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS HashiCorp Consul
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass HashiCorp Consul
NVD
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal HashiCorp Consul
NVD
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

Patch in third party library Consul requires 'enable-script-checks' to be set to False. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Gitlab Authentication Bypass HashiCorp Consul
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure HashiCorp Consul
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service HashiCorp Consul
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Null Pointer Dereference HashiCorp Consul
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hashicorp HashiCorp Consul
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD
EPSS 9% CVSS 7.5
HIGH POC PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Hashicorp HashiCorp Consul +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Information Disclosure HashiCorp Consul
NVD
EPSS 35% CVSS 8.8
HIGH This Week

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp Authentication Bypass +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Hashicorp HashiCorp Consul
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 7.5
HIGH This Week

HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD
EPSS 3% CVSS 8.6
HIGH PATCH This Week

An issue was discovered in GoGo Protobuf before 1.3.2. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Protobuf HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass HashiCorp Consul
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hashicorp Denial Of Service HashiCorp Consul
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 7.4
HIGH POC PATCH This Week

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Hashicorp HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp HashiCorp Consul
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Hashicorp Information Disclosure HashiCorp Consul
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy