CVE-2020-25864
https://notcve.org/view.php?id=CVE-2020-25864
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. El modo sin procesar de HashiCorp Consul y Consul Enterprise hasta versión 1.9.4, key-value (KV) era vulnerable a un ataque de tipo cross-site scripting. Corregido en versiones 1.9.5, 1.8.10 y 1.7.14 • https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects. This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability. • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2 https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff%40%3Cnotifications.skywalking.apache.org%3E https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org • CWE-129: Improper Validation of Array Index •
CVE-2020-28053
https://notcve.org/view.php?id=CVE-2020-28053
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. HashiCorp Consul y Consul Enterprise versiones 1.2.0 hasta 1.8.5, permitieron a operadores con operador: leer unos permisos ACL para leer la configuración de la clave privada de Connect CA. Corregido en versiones 1.6.10, 1.7.10 y 1.8.6 • https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul • CWE-863: Incorrect Authorization •
CVE-2020-25201
https://notcve.org/view.php?id=CVE-2020-25201
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. HashiCorp Consul Enterprise versiones 1.7.0 hasta 1.8.4, incluye un error de replicación de espacio de nombres que puede ser activado para causar una denegación de servicio por medio de escrituras Raft infinitas. Corregido en versiones 1.7.9 y 1.8.5 • https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#185-october-23-2020 https://security.gentoo.org/glsa/202208-09 https://www.hashicorp.com/blog/category/consul •
CVE-2020-13170
https://notcve.org/view.php?id=CVE-2020-13170
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. HashiCorp Consul y Consul Enterprise, no aplicaron apropiadamente el alcance de los tokens locales emitidos por un centro de datos primario, donde lo replicación a un centro de datos secundario que no estaba habilitado. Introducido en la versión 1.4.0, corregido en las versiones 1.6.6 y 1.7.4 • https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md https://github.com/hashicorp/consul/pull/8068 • CWE-20: Improper Input Validation •