CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 1CVE-2023-5332 – Dependency on Vulnerable Third-Party Component in GitLab
https://notcve.org/view.php?id=CVE-2023-5332
04 Dec 2023 — Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE. El parche en la librería de terceros Consul requiere que 'enable-script-checks' esté configurado en False. • https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 • CWE-16: Configuration CWE-1395: Dependency on Vulnerable Third-Party Component •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0845 – Consul Server Panic when Ingress and API Gateways Configured with Peering
https://notcve.org/view.php?id=CVE-2023-0845
09 Mar 2023 — Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. Consul y Consul Enterprise permitieron que un usuario autenticado con servicio:permisos de escritura desencadenara un flujo de trabajo que provoca que el servidor de Consul y los agentes del cliente colapsen en determinadas circunstancias. Esta vulnerabilidad se solucion... • https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197 • CWE-476: NULL Pointer Dereference •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40716
https://notcve.org/view.php?id=CVE-2022-40716
23 Sep 2022 — HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." HashiCorp Consul y Consul Enterprise versiones hasta la 1.11.8, 1.12.4, y 1.13.1, no comprueban los valores múltiples de SAN URI en un CSR en el endpoint RPC interno, permitiendo un aprovechamiento del acceso privilegiado para omitir las intencione... • https://discuss.hashicorp.com • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 84%CPEs: 7EXPL: 0CVE-2022-29153 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2022-29153
19 Apr 2022 — HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. HashiCorp Consul y Consul Enterprise hasta 1.9.16, 1.10.9, y 1.11.4 pueden permitir la falsificación de peticiones del lado del servidor cuando el agente cliente de Consul sigue las redirecciones devueltas por los puntos finales de comprobación de salud HTTP. Corregido en 1.9... • https://discuss.hashicorp.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38698 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2021-38698
07 Sep 2021 — HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. El endpoint Txn.Apply de HashiCorp Consul y Consul Enterprise versión 1.10.1, permitía que los servicios registraran proxies para otros servicios, permitiendo el acceso al tráfico de los mismos. Corregido en versiones 1.8.15, 1.9.9 y 1.10.2 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst o... • https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 2%CPEs: 6EXPL: 0CVE-2021-37219 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-37219
07 Sep 2021 — HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. La capa RPC de HashiCorp Consul y Consul Enterprise Raft versión 1.10.1 , permite a agentes que no son servidores con un certificado válido firmado por la misma CA acceder a la funcionalidad server-only, permitiendo una escalada de privilegios. Corregido en 1.8.15, 1.9.9 y 1.... • https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 84%CPEs: 6EXPL: 0CVE-2020-25864 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2020-25864
20 Apr 2021 — HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. El modo sin procesar de HashiCorp Consul y Consul Enterprise hasta versión 1.9.4, key-value (KV) era vulnerable a un ataque de tipo cross-site scripting. Corregido en versiones 1.9.5, 1.8.10 y 1.7.14 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions less than 1.9.17 ar... • https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
11 Jan 2021 — An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects... • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 • CWE-129: Improper Validation of Array Index •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-7219
https://notcve.org/view.php?id=CVE-2020-7219
31 Jan 2020 — HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. HashiCorp Consul and Consul Enterprise versiones hasta 1.6.2. Los servicios HTTP/RPC permitieron un uso de recursos ilimitado y fueron susceptibles a una denegación de servicio no autenticada. Corregido en versión 1.6.3. • https://github.com/hashicorp/consul/issues/7159 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-16377
https://notcve.org/view.php?id=CVE-2019-16377
23 Sep 2019 — The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control. La gema makandra consul versiones hasta 1.0.2 para Ruby, presenta un Control de Acceso Incorrecto. • https://github.com/makandra/consul/issues/49 •