Consul HashiCorp Consul

Do you want an email whenever new security vulnerabilities are reported in HashiCorp Consul?

By the Year

In 2024 there have been 0 vulnerabilities in HashiCorp Consul . Last year Consul had 5 security vulnerabilities published. Right now, Consul is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 5 7.18
2022 5 7.02
2021 8 7.66
2020 8 6.83
2019 3 7.67
2018 1 5.90

It may take a day or so for new Consul vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent HashiCorp Consul Security Vulnerabilities

Patch in third party library Consul requires 'enable-script-checks' to be set to False

CVE-2023-5332 8.1 - High - December 04, 2023

Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly

CVE-2023-3518 7.3 - High - August 09, 2023

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state

CVE-2023-1297 7.5 - High - June 02, 2023

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances

CVE-2023-2816 6.5 - Medium - June 02, 2023

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow

CVE-2023-0845 6.5 - Medium - March 09, 2023

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

NULL Pointer Dereference

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI

CVE-2022-3920 7.5 - High - November 16, 2022

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

AuthZ

HashiCorp Consul and Consul Enterprise up to 1.11.8

CVE-2022-40716 6.5 - Medium - September 23, 2022

HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

Unchecked Return Value

HashiCorp Consul 1.8.1 up to 1.11.8

CVE-2021-41803 7.1 - High - September 23, 2022

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

AuthZ

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may

CVE-2022-29153 7.5 - High - April 19, 2022

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

XSPA

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service

CVE-2022-24687 6.5 - Medium - February 24, 2022

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control

CVE-2021-41805 8.8 - High - December 12, 2021

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

AuthZ

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint

CVE-2021-38698 6.5 - Medium - September 07, 2021

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

AuthZ

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer

CVE-2021-37219 8.8 - High - September 07, 2021

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

Improper Certificate Validation

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name

CVE-2021-32574 7.5 - High - July 17, 2021

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

Improper Certificate Validation

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open

CVE-2021-36213 7.5 - High - July 17, 2021

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.

HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events

CVE-2021-28156 7.5 - High - April 20, 2021

HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.

HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting

CVE-2020-25864 6.1 - Medium - April 20, 2021

HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

XSS

An issue was discovered in GoGo Protobuf before 1.3.2

CVE-2021-3121 8.6 - High - January 11, 2021

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

out-of-bounds array index

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5

CVE-2020-28053 6.5 - Medium - November 23, 2020

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.

AuthZ

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service

CVE-2020-25201 7.5 - High - November 04, 2020

HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature

CVE-2020-13250 7.5 - High - June 11, 2020

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.

Buffer Overflow

HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center

CVE-2020-13170 7.5 - High - June 11, 2020

HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.

Improper Input Validation

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers

CVE-2020-12797 5.3 - Medium - June 11, 2020

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.

Incorrect Permission Assignment for Critical Resource

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry

CVE-2020-12758 7.5 - High - June 11, 2020

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4.

Improper Resource Shutdown or Release

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints

CVE-2020-7955 5.3 - Medium - January 31, 2020

HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

Information Disclosure

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services

CVE-2020-7219 7.5 - High - January 31, 2020

HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.

Resource Exhaustion

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control

CVE-2019-12291 7.5 - High - June 06, 2019

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication

CVE-2019-9764 7.4 - High - March 26, 2019

HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.

Origin Validation Error

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3

CVE-2019-8336 8.1 - High - March 05, 2019

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is used in unusual circumstances.

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication

CVE-2018-19653 5.9 - Medium - December 09, 2018

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.

Cryptographic Issues

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for HashiCorp Consul or by HashiCorp? Click the Watch button to subscribe.

HashiCorp
Vendor

subscribe