Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
hashicorp consul vulnerabilities and exploits
(subscribe to this query)
7.1
CVSSv3
CVE-2021-41803
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
Hashicorp Consul 1.12.4
Hashicorp Consul 1.13.1
Hashicorp Consul
1 Github repository
8.1
CVSSv3
CVE-2023-5332
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
Gitlab Gitlab
Gitlab Gitlab 16.4.0
Hashicorp Consul
Hashicorp Consul 1.1.0
6.5
CVSSv3
CVE-2022-40716
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
Hashicorp Consul
1 Github repository
7.5
CVSSv3
CVE-2020-7219
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Hashicorp Consul
7.5
CVSSv3
CVE-2020-12758
HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4.
Hashicorp Consul
8.8
CVSSv3
CVE-2021-41805
HashiCorp Consul Enterprise prior to 1.8.17, 1.9.x prior to 1.9.11, and 1.10.x prior to 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Hashicorp Consul
2 Github repositories
5.3
CVSSv3
CVE-2020-7955
HashiCorp Consul and Consul Enterprise 1.4.1 up to and including 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Hashicorp Consul
5.9
CVSSv3
CVE-2018-19653
HashiCorp Consul 0.5.1 up to and including 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
Hashicorp Consul
7.5
CVSSv3
CVE-2021-32574
HashiCorp Consul and Consul Enterprise 1.3.0 up to and including 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
Hashicorp Consul
7.5
CVSSv3
CVE-2022-3920
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.
Hashicorp Consul
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
NULL pointer dereference
CVE-2023-52689
CVE-2024-23803
client side
CVE-2023-52696
information disclosure
CVE-2024-35843
CVE-2024-27130
CVE-2023-52697
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »