CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-37219
https://notcve.org/view.php?id=CVE-2021-37219
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. La capa RPC de HashiCorp Consul y Consul Enterprise Raft versión 1.10.1 , permite a agentes que no son servidores con un certificado válido firmado por la misma CA acceder a la funcionalidad server-only, permitiendo una escalada de privilegios. Corregido en 1.8.15, 1.9.9 y 1.10.2 • https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 https://security.gentoo.org/glsa/202207-01 https://www.hashicorp.com/blog/category/consul • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-25864
https://notcve.org/view.php?id=CVE-2020-25864
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. El modo sin procesar de HashiCorp Consul y Consul Enterprise hasta versión 1.9.4, key-value (KV) era vulnerable a un ataque de tipo cross-site scripting. Corregido en versiones 1.9.5, 1.8.10 y 1.7.14 • https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 1%CPEs: 7EXPL: 0CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability. • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2 https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org&#x • CWE-129: Improper Validation of Array Index •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-7219
https://notcve.org/view.php?id=CVE-2020-7219
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. HashiCorp Consul and Consul Enterprise versiones hasta 1.6.2. Los servicios HTTP/RPC permitieron un uso de recursos ilimitado y fueron susceptibles a una denegación de servicio no autenticada. Corregido en versión 1.6.3. • https://github.com/hashicorp/consul/issues/7159 https://www.hashicorp.com/blog/category/consul • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19653
https://notcve.org/view.php?id=CVE-2018-19653
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade. HashiCorp Consul, de la versión 0.5.1 a la 1.4.0, puede emplear comunicaciones RPC de agente a agente en texto claro debido a que la opción verify_outgoing setting está mal documentada. NOTA: el fabricante ha proporcionado instrucciones de reconfiguración que no requieren actualizar el software. • https://github.com/hashicorp/consul/pull/5069 https://groups.google.com/forum/#%21topic/consul-tool/7TCw06oio0I • CWE-310: Cryptographic Issues •