CVE-2021-38698
https://notcve.org/view.php?id=CVE-2021-38698
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. El endpoint Txn.Apply de HashiCorp Consul y Consul Enterprise versión 1.10.1, permitía que los servicios registraran proxies para otros servicios, permitiendo el acceso al tráfico de los mismos. Corregido en versiones 1.8.15, 1.9.9 y 1.10.2 • https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul • CWE-862: Missing Authorization •
CVE-2021-37219
https://notcve.org/view.php?id=CVE-2021-37219
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. La capa RPC de HashiCorp Consul y Consul Enterprise Raft versión 1.10.1 , permite a agentes que no son servidores con un certificado válido firmado por la misma CA acceder a la funcionalidad server-only, permitiendo una escalada de privilegios. Corregido en 1.8.15, 1.9.9 y 1.10.2 • https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 https://security.gentoo.org/glsa/202207-01 https://www.hashicorp.com/blog/category/consul • CWE-295: Improper Certificate Validation •
CVE-2021-32574
https://notcve.org/view.php?id=CVE-2021-32574
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. HashiCorp Consul y Consul Enterprise versión 1.3.0 hasta la versión 1.10.0 La configuración del proxy TLS de Envoy no valida la identidad del servicio de destino en el nombre alternativo del asunto codificado. Corregido en las versiones 1.8.14, 1.9.8 y 1.10.1 • https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856 https://github.com/hashicorp/consul/releases/tag/v1.10.1 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul • CWE-295: Improper Certificate Validation •
CVE-2020-25864
https://notcve.org/view.php?id=CVE-2020-25864
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. El modo sin procesar de HashiCorp Consul y Consul Enterprise hasta versión 1.9.4, key-value (KV) era vulnerable a un ataque de tipo cross-site scripting. Corregido en versiones 1.9.5, 1.8.10 y 1.7.14 • https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability. • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2 https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org • CWE-129: Improper Validation of Array Index •