Lucene search
K
HashicorpConsul

35 matches found

CVE
CVE
added 2023/08/09 3:6 p.m.2857 views

CVE-2023-3518

HashiCorp Consul and Consul Enterprise 1.16.0 had a vulnerability in JWT-based service-mesh authentication that allowed or denied access independent of service identities. The issue is fixed in version 1.16.1. No exploitation details are provided in the connected documents. Affected product/versi...

7.4CVSS7.1AI score0.0038EPSS
CVE
CVE
added 2022/09/23 12:0 a.m.2006 views

CVE-2021-41803

CVE-2021-41803 affects HashiCorp Consul 1.8.1–1.11.8, 1.12.4, and 1.13.1; root cause is improper validation of node/segment names before interpolation and usage in JWT claim assertions via auto config RPC. Consequences and exploitation details are not further described in the supplied documents. ...

7.1CVSS6.7AI score0.00846EPSS
CVE
CVE
added 2021/01/11 5:57 a.m.680 views

CVE-2021-3121

CVE-2021-3121 affects GoGo Protobuf prior to 1.3.2, where plugin/unmarshal/unmarshal.go lacks certain index validation (the “skippy peanut butter” issue). The vulnerability is tied to insufficient input/index validation in the unmarshal path, with CVSS indications in the sources, but exploitation...

8.6CVSS8.2AI score0.03478EPSS
CVE
CVE
added 2022/09/23 12:0 a.m.480 views

CVE-2022-40716

HashiCorp Consul and Consul Enterprise are affected by CVE-2022-40716 due to not checking multiple SAN URI values in a CSR on the internal RPC endpoint. Affected versions: Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1. Fixed in 1.11.9, 1.12.5, and 1.13.2. The issue enables privile...

6.5CVSS7AI score0.00849EPSS
CVE
CVE
added 2022/11/15 11:25 p.m.471 views

CVE-2022-3920

Summary (CVE-2022-3920) HashiCorp Consul and Consul Enterprise versions 1.13.0–1.13.3 expose information via UI endpoints because cluster filtering does not filter imported nodes and services for HTTP or RPC endpoints. Root cause: inadequate filtering of cluster data used by the UI. Impact: poten...

7.5CVSS6.1AI score0.0066EPSS
CVE
CVE
added 2023/03/09 3:14 p.m.436 views

CVE-2023-0845

CVE-2023-0845 affects HashiCorp Consul and Consul Enterprise. An authenticated user with service:write permissions could trigger a workflow that, under certain conditions, causes the Consul server and client agents to crash. The issue has a confirmed fix in Consul 1.14.5. The provided connected d...

6.5CVSS5.6AI score0.01005EPSS
CVE
CVE
added 2023/06/02 10:48 p.m.414 views

CVE-2023-1297

CVE-2023-1297 affects HashiCorp Consul and Consul Enterprise cluster peering. A peer cluster with a service named the same as a local service could corrupt Consul state, leading to denial of service. The vulnerability is addressed by upgrading to Consul 1.14.5 or 1.15.3. Other connected sources c...

7.5CVSS5.8AI score0.00768EPSS
CVE
CVE
added 2022/04/19 12:0 a.m.404 views

CVE-2022-29153

CVE-2022-29153 (HashiCorp Consul/Consul Enterprise SSRF) is triggered by a server-side request forgery when the Consul client follows HTTP health-check redirects. Affected versions include Consul and Consul Enterprise prior to fixes: 1.9.16 and earlier, 1.10.9 and earlier, 1.11.4 and earlier. The...

7.5CVSS7.4AI score0.08676EPSS
In wild
CVE
CVE
added 2021/07/17 5:28 p.m.402 views

CVE-2021-32574

CVE-2021-32574 affects HashiCorp Consul and Consul Enterprise versions 1.3.0 through 1.10.0, where the Envoy proxy TLS configuration does not validate the destination service identity in the encoded SAN. This could allow a remote attacker to masquerade as another service. The issue is fixed in ve...

7.5CVSS7.4AI score0.01457EPSS
CVE
CVE
added 2021/07/17 5:32 p.m.387 views

CVE-2021-36213

HashiCorp Consul and Consul Enterprise versions 1.9.0–1.10.0 are affected by CVE-2021-36213, where a single L7 application-aware deny action under a default-deny policy can cancel the intention and incorrectly allow L4 traffic. The issue is fixed in Consul/Consul Enterprise 1.9.8 and 1.10.1 (upst...

7.5CVSS7.3AI score0.0174EPSS
CVE
CVE
added 2021/04/20 1:7 p.m.384 views

CVE-2020-25864

HashiCorp Consul and Consul Enterprise up to version 1.9.4 expose a cross-site scripting (XSS) vulnerability in the KV raw mode. The issue stems from the KV raw mode handling, allowing XSS payloads to execute. Fixed in versions 1.9.5, 1.8.10, and 1.7.14. Upgrading to one of these versions mitigat...

6.1CVSS5.9AI score0.06095EPSS
CVE
CVE
added 2021/09/07 11:33 a.m.356 views

CVE-2021-37219

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer is affected: non-server agents with a certificate signed by the same CA can access server-only functionality, enabling privilege escalation. The issue is fixed in versions 1.8.15, 1.9.9, and 1.10.2. Impact and remediation details come f...

8.8CVSS8.4AI score0.01149EPSS
CVE
CVE
added 2020/01/31 12:39 p.m.334 views

CVE-2020-7219

CVE-2020-7219 affects HashiCorp Consul and Consul Enterprise up to 1.6.2, where HTTP/RPC services could cause unbounded resource usage and unauthenticated denial of service. The issue is fixed in 1.6.3. Affected component: Consul HTTP/RPC services; root cause details are not expanded beyond the u...

7.5CVSS7.4AI score0.0201EPSS
CVE
CVE
added 2021/09/07 11:45 a.m.329 views

CVE-2021-38698

CVE-2021-38698 affects HashiCorp Consul and Consul Enterprise (Txn.Apply endpoint). The issue allowed a service to register proxies for other services, enabling access to service traffic. Root cause: missing authorization check on Txn.Apply path permitted cross-service proxy registration. Impact ...

6.5CVSS6.4AI score0.01523EPSS
CVE
CVE
added 2018/12/09 7:0 p.m.319 views

CVE-2018-19653

CVE-2018-19653 affects HashiCorp Consul versions 0.5.1 through 1.4.0. The issue enables cleartext agent-to-agent RPC due to the verify_outgoing setting being inadequately documented, as described in the initial entry. Connected sources corroborate the vulnerability and note that vendor-provided r...

5.9CVSS5.8AI score0.01223EPSS
CVE
CVE
added 2019/03/26 1:5 p.m.295 views

CVE-2019-9764

CVE-2019-9764 affects HashiCorp Consul 1.4.3, where agent-to-agent TLS does not verify server hostname, making it behave as if verify_server_hostname were false. This can impact confidentiality and integrity (per CVSS metadata). The issue is fixed in 1.4.4; remediation is to upgrade to 1.4.4 or l...

7.4CVSS7.1AI score0.00605EPSS
CVE
CVE
added 2022/02/24 3:37 p.m.164 views

CVE-2022-24687

CVE-2022-24687 affects HashiCorp Consul and Consul Enterprise clusters: versions 1.9.0–1.9.14, 1.10.7, and 1.11.2 are vulnerable. A user with the service:write permission on an Ingress Gateway can register a specially-crafted service that may cause Consul servers to panic, impacting availability....

6.5CVSS6.3AI score0.01366EPSS
CVE
CVE
added 2024/10/30 9:19 p.m.154 views

CVE-2024-10005

CVE-2024-10005 affects Consul and Consul Enterprise. The issue arises from using URL paths in L7 traffic intentions, allowing bypass of HTTP request path-based access rules. Evidence from multiple sources (NVD entry and industry advisories) confirms the vulnerability in Consul’s URL path handling...

8.1CVSS6.6AI score0.00731EPSS
CVE
CVE
added 2021/04/20 3:2 p.m.139 views

CVE-2021-28156

CVE-2021-28156 affects HashiCorp Consul Enterprise: versions 1.8.0 through 1.9.4 are vulnerable where the audit log can be bypassed via specifically crafted HTTP events. The issue is fixed in 1.9.5 and in 1.8.10. Connected documents confirm the vulnerability details and the fixed versions; no exp...

7.5CVSS7.3AI score0.02273EPSS
CVE
CVE
added 2019/06/06 4:35 p.m.130 views

CVE-2019-12291

HashiCorp Consul 1.4.0–1.5.0 contains an Incorrect Access Control flaw where keys not matching a specific ACL rule used for prefix matching can be deleted by a token bound to that policy, even with default-deny settings. Root cause involves ACL enforcement for local tokens/policy scope, as descri...

7.5CVSS7.4AI score0.01157EPSS
CVE
CVE
added 2024/10/30 9:21 p.m.127 views

CVE-2024-10086

CVE-2024-10086 affects Consul and Consul Enterprise. The issue arises when the server response does not explicitly set a Content-Type header, allowing user-provided inputs to be interpreted under an unintended context and potentially lead to reflected XSS. The available sources confirm the vulner...

6.1CVSS6AI score0.00427EPSS
CVE
CVE
added 2024/10/30 9:20 p.m.126 views

CVE-2024-10006

CVE-2024-10006 affects Consul and Consul Enterprise. The issue enables bypassing HTTP header based access rules by manipulating Headers in L7 traffic intentions. The vulnerability is defined in public advisories and CVSS vectors indicate high impact (noting different scope/impact across sources)....

8.3CVSS6.6AI score0.00473EPSS
CVE
CVE
added 2023/12/04 6:30 a.m.104 views

CVE-2023-5332

CVE-2023-5332 concerns a vulnerability in the third‑party library Consul used by GitLab‑EE. The patch patching this issue requires enable-script-checks to be set to False; if not, the patch could be bypassed. The issue affects GitLab‑EE via Consul script-check configuration. Exploitation details ...

8.1CVSS6.5AI score0.00742EPSS
CVE
CVE
added 2020/11/04 10:32 p.m.100 views

CVE-2020-25201

Summary: CVE-2020-25201 affects HashiCorp Consul Enterprise versions 1.7.0 through 1.8.4. A namespace replication bug can be triggered to cause a denial of service via infinite Raft writes. The issue is fixed in 1.7.9 and 1.8.5. Affected software: HashiCorp Consul Enterprise (v1.7.x up to 1.8.4)....

7.5CVSS7.2AI score0.02579EPSS
CVE
CVE
added 2020/11/23 1:11 p.m.99 views

CVE-2020-28053

The CVE-2020-28053 entry applies to HashiCorp Consul and Consul Enterprise, version 1.2.0 through 1.8.5, where operators with operator:read ACL permissions could read the Connect CA private key configuration. The issue is resolved in 1.6.10, 1.7.10, and 1.8.6. Affected products include Consul Cor...

6.5CVSS6.3AI score0.01379EPSS
CVE
CVE
added 2021/12/12 4:51 a.m.93 views

CVE-2021-41805

CVE-2021-41805 affects HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4, due to Incorrect Access Control. An ACL token with default operator:write permissions in one namespace can be used for unintended privilege escalation in a different namespace. The pro...

8.8CVSS8.7AI score0.3479EPSS
CVE
CVE
added 2023/06/02 10:43 p.m.92 views

CVE-2023-2816

CVE-2023-2816 affects HashiCorp Consul/Consul Enterprise: any user with service:write can use Envoy extensions configured via service-defaults to patch remote proxy instances targeting a service, regardless of permissions on that service. This implies potential unauthorized proxy modification wit...

8.7CVSS7.2AI score0.00585EPSS
CVE
CVE
added 2020/01/31 12:19 p.m.85 views

CVE-2020-7955

HashiCorp Consul and Consul Enterprise versions 1.4.1–1.6.2 did not uniformly enforce ACLs across all API endpoints, potentially enabling information disclosure. Root cause: inconsistent ACL enforcement leading to exposure of information via multiple API endpoints. Impact: partial confidentiality...

5.3CVSS5.2AI score0.01412EPSS
CVE
CVE
added 2020/06/11 7:16 p.m.72 views

CVE-2020-13250

CVE-2020-13250 affects HashiCorp Consul and Consul Enterprise, where an HTTP API (1.2.0) and DNS (1.4.3) caching feature could be abused to cause a denial of service. The vulnerability is fixed in Consul 1.6.6 and Consul Enterprise 1.7.4. The provided connected documents confirm the core impact (...

7.5CVSS7.2AI score0.02851EPSS
CVE
CVE
added 2020/06/11 7:41 p.m.69 views

CVE-2020-13170

CVE-2020-13170 affects HashiCorp Consul and Consul Enterprise. The issue is that the system did not properly enforce scope for local tokens issued by the primary data center when replication to a secondary data center was not enabled. This mis-scoping could lead to tokens being usable across data...

7.5CVSS7.3AI score0.01725EPSS
CVE
CVE
added 2020/06/11 7:23 p.m.68 views

CVE-2020-12758

CVE-2020-12758 affects HashiCorp Consul and Consul Enterprise. A crash can occur when configured with an abnormally-formed service-router entry. Introduced in 1.6.0 and fixed in 1.6.6 and 1.7.4. Public details confirm the impact is a crash; no exploitation details are provided in the connected so...

7.5CVSS7.4AI score0.01709EPSS
CVE
CVE
added 2020/06/11 7:37 p.m.63 views

CVE-2020-12797

The CVE-2020-12797 entry affects HashiCorp Consul and Consul Enterprise. The issue is that changes to legacy ACL token rules were not propagated to secondary data centers, leaving rule updates potentially inconsistent across sites. It was introduced in version 1.4.0 and fixed in 1.6.6 and 1.7.4. ...

5.3CVSS5.1AI score0.01552EPSS
CVE
CVE
added 2019/03/05 11:0 p.m.60 views

CVE-2019-8336

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 is vulnerable to an access-restriction bypass, enabling a client to obtain the privileges of another arbitrary token in secondary datacenters due to a token with "" as its secret. Impact: privilege escalation. Remediation: upgrade to 1.4...

8.1CVSS7.9AI score0.01251EPSS
CVE
CVE
added 2025/10/28 8:12 p.m.22 views

CVE-2025-11375

CVE-2025-11375 affects HashiCorp Consul and Consul Enterprise. The issue is a DoS vulnerability in the event endpoint caused by lack of a maximum value on the Content-Length header. Affected versions include Consul Community Edition up to 1.21.5 and Consul Enterprise up to 1.21.5, with fixes in C...

6.5CVSS6.3AI score0.00399EPSS
CVE
CVE
added 2025/10/28 8:19 p.m.18 views

CVE-2025-11374

CVE-2025-11374 affects HashiCorp Consul and Consul Enterprise, specifically the key/value endpoint, due to incorrect Content Length header validation leading to DoS. IBM’s security bulletin documents affected versions: Consul Community Edition 0.0.1–1.21.5 and Consul Enterprise 1.21.0–1.21.51.20....

6.5CVSS6.3AI score0.00402EPSS