CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10086 – Consul Vulnerable To Reflected XSS On Content-Type Error Manipulation
https://notcve.org/view.php?id=CVE-2024-10086
30 Oct 2024 — A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. Se identificó una vulnerabilidad en Consul y Consul Enterprise tal que la respuesta del servidor no establecía explícitamente un encabezado HTTP Content-Type, lo que permitía que las entradas proporcionadas por el usuario se malinterpretaran y generaran un XSS reflejado. • https://discuss.hashicorp.com/t/hcsec-2024-24-consul-vulnerable-to-reflected-xss-on-content-type-error-manipulation • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10006 – Consul L7 Intentions Vulnerable To Headers Bypass
https://notcve.org/view.php?id=CVE-2024-10006
30 Oct 2024 — A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. Se identificó una vulnerabilidad en Consul y Consul Enterprise (“Consul”) tal que el uso de encabezados en intenciones de tráfico L7 podría eludir las reglas de acceso basadas en encabezados HTTP. • https://discuss.hashicorp.com/t/hcsec-2024-23-consul-l7-intentions-vulnerable-to-headers-bypass • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10005 – Consul L7 Intentions Vulnerable To URL Path Bypass
https://notcve.org/view.php?id=CVE-2024-10005
30 Oct 2024 — A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. Se identificó una vulnerabilidad en Consul y Consul Enterprise (“Consul”) tal que el uso de rutas URL en intenciones de tráfico L7 podría eludir las reglas de acceso basadas en rutas de solicitud HTTP. • https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1297 – Consul Cluster Peering can Result in Denial of Service
https://notcve.org/view.php?id=CVE-2023-1297
02 Jun 2023 — Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions greater than or equal to 1.15.10 are affected. • https://discuss.hashicorp.com/t/hcsec-2023-15-consul-cluster-peering-can-result-in-denial-of-service/54515 • CWE-826: Premature Release of Resource During Expected Lifetime •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-2816 – Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner
https://notcve.org/view.php?id=CVE-2023-2816
02 Jun 2023 — Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions greater than or equal to 1.15.10 are affected. • https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525 • CWE-266: Incorrect Privilege Assignment CWE-284: Improper Access Control •