Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
hashicorp consul vulnerabilities and exploits
(subscribe to this query)
10
CVSSv2
CVE-2020-29564
The official Consul Docker images 0.7.1 up to and including 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote malicious user to achieve root access with a blank password.
Hashicorp Consul Docker Image
7.5
CVSSv2
CVE-2021-3121
An issue exists in GoGo Protobuf prior to 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Golang Protobuf
Hashicorp Consul
4 Github repositories
6.8
CVSSv2
CVE-2019-8336
HashiCorp Consul (and Consul Enterprise) 1.4.x prior to 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "<hidden>" as its secret is use...
Hashicorp Consul
6.5
CVSSv2
CVE-2021-41805
HashiCorp Consul Enterprise prior to 1.8.17, 1.9.x prior to 1.9.11, and 1.10.x prior to 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Hashicorp Consul
2 Github repositories
6.5
CVSSv2
CVE-2021-37219
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
Hashicorp Consul
6.4
CVSSv2
CVE-2019-12291
HashiCorp Consul 1.4.0 up to and including 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.
Hashicorp Consul
5.8
CVSSv2
CVE-2019-9764
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.
Hashicorp Consul 1.4.3
5
CVSSv2
CVE-2022-29153
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
Hashicorp Consul
Fedoraproject Fedora 37
5
CVSSv2
CVE-2021-32574
HashiCorp Consul and Consul Enterprise 1.3.0 up to and including 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
Hashicorp Consul
5
CVSSv2
CVE-2021-36213
HashiCorp Consul and Consul Enterprise 1.9.0 up to and including 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
Hashicorp Consul
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
bypass
open redirect
CVE-2024-4358
CVE-2024-24199
CVE-2024-5550
CVE-2024-5305
CVE-2024-30373
CVE-2024-1800
deserialization
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »