Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Consul
(Hashicorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 33 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-06-11 | CVE-2020-13250 | HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4. | Consul | 7.5 | ||
| 2020-11-04 | CVE-2020-25201 | HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. | Consul | 7.5 | ||
| 2020-11-23 | CVE-2020-28053 | HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. | Consul | 6.5 | ||
| 2021-01-11 | CVE-2021-3121 | An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. | Protobuf, Consul | 8.6 | ||
| 2021-04-20 | CVE-2020-25864 | HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | Consul | 6.1 | ||
| 2021-04-20 | CVE-2021-28156 | HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10. | Consul | 7.5 | ||
| 2021-07-17 | CVE-2021-32574 | HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | Consul | 7.5 | ||
| 2021-07-17 | CVE-2021-36213 | HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | Consul | 7.5 | ||
| 2021-09-07 | CVE-2021-37219 | HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | Consul | 8.8 | ||
| 2021-09-07 | CVE-2021-38698 | HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | Consul | 6.5 |