CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10086 – Consul Vulnerable To Reflected XSS On Content-Type Error Manipulation
https://notcve.org/view.php?id=CVE-2024-10086
30 Oct 2024 — A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. Se identificó una vulnerabilidad en Consul y Consul Enterprise tal que la respuesta del servidor no establecía explícitamente un encabezado HTTP Content-Type, lo que permitía que las entradas proporcionadas por el usuario se malinterpretaran y generaran un XSS reflejado. • https://discuss.hashicorp.com/t/hcsec-2024-24-consul-vulnerable-to-reflected-xss-on-content-type-error-manipulation • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10006 – Consul L7 Intentions Vulnerable To Headers Bypass
https://notcve.org/view.php?id=CVE-2024-10006
30 Oct 2024 — A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. Se identificó una vulnerabilidad en Consul y Consul Enterprise (“Consul”) tal que el uso de encabezados en intenciones de tráfico L7 podría eludir las reglas de acceso basadas en encabezados HTTP. • https://discuss.hashicorp.com/t/hcsec-2024-23-consul-l7-intentions-vulnerable-to-headers-bypass • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10005 – Consul L7 Intentions Vulnerable To URL Path Bypass
https://notcve.org/view.php?id=CVE-2024-10005
30 Oct 2024 — A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. Se identificó una vulnerabilidad en Consul y Consul Enterprise (“Consul”) tal que el uso de rutas URL en intenciones de tráfico L7 podría eludir las reglas de acceso basadas en rutas de solicitud HTTP. • https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1297 – Consul Cluster Peering can Result in Denial of Service
https://notcve.org/view.php?id=CVE-2023-1297
02 Jun 2023 — Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions greater than or equal to 1.15.10 are affected. • https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515 • CWE-826: Premature Release of Resource During Expected Lifetime •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0845 – Consul Server Panic when Ingress and API Gateways Configured with Peering
https://notcve.org/view.php?id=CVE-2023-0845
09 Mar 2023 — Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. Consul y Consul Enterprise permitieron que un usuario autenticado con servicio:permisos de escritura desencadenara un flujo de trabajo que provoca que el servidor de Consul y los agentes del cliente colapsen en determinadas circunstancias. Esta vulnerabilidad se solucion... • https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3920 – Consul Peering Imported Nodes/Services Leak
https://notcve.org/view.php?id=CVE-2022-3920
15 Nov 2022 — HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. HashiCorp Consul y Consul Enterprise 1.13.0 hasta 1.13.3 no filtran los nodos y servicios importados del filtrado de clústeres para los endpoints HTTP o RPC utilizados por la interfaz de usuario. Se corrigió en la versión 1.14.0. • https://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40716
https://notcve.org/view.php?id=CVE-2022-40716
23 Sep 2022 — HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." HashiCorp Consul y Consul Enterprise versiones hasta la 1.11.8, 1.12.4, y 1.13.1, no comprueban los valores múltiples de SAN URI en un CSR en el endpoint RPC interno, permitiendo un aprovechamiento del acceso privilegiado para omitir las intencione... • https://discuss.hashicorp.com • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-41803
https://notcve.org/view.php?id=CVE-2021-41803
23 Sep 2022 — HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2." HashiCorp Consul versiones 1.8.1 hasta 1.11.8, 1.12.4 y 1.13.1, no comprueban apropiadamente los nombres de nodos o segmentos antes de la interpolación y el uso en las aserciones de reclamación JWT con el RPC de configuración automática. Corregido en versiones 1.11.9, 1.12.5 y 1.13.2... • https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627 • CWE-862: Missing Authorization •