CVE-2019-12291 (NVD)

2019-06-06

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

Products Consul
Type Improper Access Control (CWE-284)
First patch - None (likely due to unavailable code)
Links https://github.com/hashicorp/consul/issues/5888