CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 1CVE-2023-5332 – Dependency on Vulnerable Third-Party Component in GitLab
https://notcve.org/view.php?id=CVE-2023-5332
04 Dec 2023 — Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE. El parche en la librería de terceros Consul requiere que 'enable-script-checks' esté configurado en False. • https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 • CWE-16: Configuration CWE-1395: Dependency on Vulnerable Third-Party Component •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0845 – Consul Server Panic when Ingress and API Gateways Configured with Peering
https://notcve.org/view.php?id=CVE-2023-0845
09 Mar 2023 — Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. Consul y Consul Enterprise permitieron que un usuario autenticado con servicio:permisos de escritura desencadenara un flujo de trabajo que provoca que el servidor de Consul y los agentes del cliente colapsen en determinadas circunstancias. Esta vulnerabilidad se solucion... • https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197 • CWE-476: NULL Pointer Dereference •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-40716
https://notcve.org/view.php?id=CVE-2022-40716
23 Sep 2022 — HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." HashiCorp Consul y Consul Enterprise versiones hasta la 1.11.8, 1.12.4, y 1.13.1, no comprueban los valores múltiples de SAN URI en un CSR en el endpoint RPC interno, permitiendo un aprovechamiento del acceso privilegiado para omitir las intencione... • https://discuss.hashicorp.com • CWE-252: Unchecked Return Value •
CVSS: 7.5EPSS: 84%CPEs: 7EXPL: 0CVE-2022-29153 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2022-29153
19 Apr 2022 — HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. HashiCorp Consul y Consul Enterprise hasta 1.9.16, 1.10.9, y 1.11.4 pueden permitir la falsificación de peticiones del lado del servidor cuando el agente cliente de Consul sigue las redirecciones devueltas por los puntos finales de comprobación de salud HTTP. Corregido en 1.9... • https://discuss.hashicorp.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-38698 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2021-38698
07 Sep 2021 — HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. El endpoint Txn.Apply de HashiCorp Consul y Consul Enterprise versión 1.10.1, permitía que los servicios registraran proxies para otros servicios, permitiendo el acceso al tráfico de los mismos. Corregido en versiones 1.8.15, 1.9.9 y 1.10.2 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst o... • https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 2%CPEs: 6EXPL: 0CVE-2021-37219 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-37219
07 Sep 2021 — HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. La capa RPC de HashiCorp Consul y Consul Enterprise Raft versión 1.10.1 , permite a agentes que no son servidores con un certificado válido firmado por la misma CA acceder a la funcionalidad server-only, permitiendo una escalada de privilegios. Corregido en 1.8.15, 1.9.9 y 1.... • https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 84%CPEs: 6EXPL: 0CVE-2020-25864 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2020-25864
20 Apr 2021 — HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. El modo sin procesar de HashiCorp Consul y Consul Enterprise hasta versión 1.9.4, key-value (KV) era vulnerable a un ataque de tipo cross-site scripting. Corregido en versiones 1.9.5, 1.8.10 y 1.7.14 Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions less than 1.9.17 ar... • https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3121 – gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
https://notcve.org/view.php?id=CVE-2021-3121
11 Jan 2021 — An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. Se detectó un problema en GoGo Protobuf versiones anteriores a 1.3.2. El archivo plugin/unmarshal/unmarshal.go carece de determinada comprobación de índice, también se conoce como el problema "skippy peanut butter" A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects... • https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025 • CWE-129: Improper Validation of Array Index •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28053 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2020-28053
23 Nov 2020 — HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. HashiCorp Consul y Consul Enterprise versiones 1.2.0 hasta 1.8.5, permitieron a operadores con operador: leer unos permisos ACL para leer la configuración de la clave privada de Connect CA. Corregido en versiones 1.6.10, 1.7.10 y 1.8.6 Multiple vulnerabilities have been discovered in HashiCorp Consul, the wors... • https://github.com/hashicorp/consul/blob/master/CHANGELOG.md#186-november-19-2020 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13250
https://notcve.org/view.php?id=CVE-2020-13250
11 Jun 2020 — HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4. HashiCorp Consul y Consul Enterprise, incluyen una funcionalidad de caché de HTTP API (introducida en la versión 1.2.0) y DNS (introducida en la versión 1.4.3), que era vulnerable a una denegación de servicio. Corregido en las versiones 1.6.6 y 1.7.4 • https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md • CWE-770: Allocation of Resources Without Limits or Throttling •