CVE-2024-10086 – Consul Vulnerable To Reflected XSS On Content-Type Error Manipulation
https://notcve.org/view.php?id=CVE-2024-10086
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. Se identificó una vulnerabilidad en Consul y Consul Enterprise tal que la respuesta del servidor no establecía explícitamente un encabezado HTTP Content-Type, lo que permitía que las entradas proporcionadas por el usuario se malinterpretaran y generaran un XSS reflejado. • https://discuss.hashicorp.com/t/hcsec-2024-24-consul-vulnerable-to-reflected-xss-on-content-type-error-manipulation • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-10006 – Consul L7 Intentions Vulnerable To Headers Bypass
https://notcve.org/view.php?id=CVE-2024-10006
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. Se identificó una vulnerabilidad en Consul y Consul Enterprise (“Consul”) tal que el uso de encabezados en intenciones de tráfico L7 podría eludir las reglas de acceso basadas en encabezados HTTP. • https://discuss.hashicorp.com/t/hcsec-2024-23-consul-l7-intentions-vulnerable-to-headers-bypass • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVE-2024-10005 – Consul L7 Intentions Vulnerable To URL Path Bypass
https://notcve.org/view.php?id=CVE-2024-10005
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. Se identificó una vulnerabilidad en Consul y Consul Enterprise (“Consul”) tal que el uso de rutas URL en intenciones de tráfico L7 podría eludir las reglas de acceso basadas en rutas de solicitud HTTP. • https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-5332 – Dependency on Vulnerable Third-Party Component in GitLab
https://notcve.org/view.php?id=CVE-2023-5332
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE. El parche en la librería de terceros Consul requiere que 'enable-script-checks' esté configurado en False. • https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations • CWE-16: Configuration CWE-1395: Dependency on Vulnerable Third-Party Component •
CVE-2023-0845 – Consul Server Panic when Ingress and API Gateways Configured with Peering
https://notcve.org/view.php?id=CVE-2023-0845
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. Consul y Consul Enterprise permitieron que un usuario autenticado con servicio:permisos de escritura desencadenara un flujo de trabajo que provoca que el servidor de Consul y los agentes del cliente colapsen en determinadas circunstancias. Esta vulnerabilidad se solucionó en Consul 1.14.5. • https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI • CWE-476: NULL Pointer Dereference •