Total
26 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-9764 | 1 Hashicorp | 1 Consul | 2020-08-24 | 5.8 MEDIUM | 7.4 HIGH |
| HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4. | |||||
| CVE-2019-8336 | 1 Hashicorp | 1 Consul | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances. | |||||
| CVE-2019-12291 | 1 Hashicorp | 1 Consul | 2020-08-24 | 6.4 MEDIUM | 7.5 HIGH |
| HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured. | |||||
| CVE-2020-13170 | 1 Hashicorp | 1 Consul | 2020-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. | |||||
| CVE-2020-12758 | 1 Hashicorp | 1 Consul | 2020-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4. | |||||
| CVE-2018-19653 | 1 Hashicorp | 1 Consul | 2019-02-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade. | |||||