cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-10086,https://securityvulnerability.io/vulnerability/CVE-2024-10086," reflective XSS vulnerability found in Consul and Consul Enterprise","A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.",Hashicorp,"Consul,Consul Enterprise",6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-10-30T21:21:46.559Z,0
CVE-2024-10006,https://securityvulnerability.io/vulnerability/CVE-2024-10006,Bypassing HTTP Header Based Access Rules via L7 Traffic Intentions,"A security issue has been detected in Consul and Consul Enterprise that allows L7 traffic intentions to bypass access controls established through HTTP headers. This vulnerability could enable unauthorized access, disrupting the expected security posture of applications relying on these header-based rules. It's crucial for users to review and mitigate potential risks associated with this issue.",Hashicorp,"Consul,Consul Enterprise",5.8,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-10-30T21:20:37.011Z,0
CVE-2024-10005,https://securityvulnerability.io/vulnerability/CVE-2024-10005,Bypassing HTTP Request Path-Based Access Rules Through URL Paths in L7 Traffic,A vulnerability in Consul and Consul Enterprise allows attackers to bypass HTTP request path-based access controls through the manipulation of URL paths in Layer 7 (L7) traffic intentions. This could lead to unauthorized access to sensitive resources and pose a significant risk to network security. Users are advised to review their access control configurations and apply necessary updates to mitigate potential exploits related to this issue.,Hashicorp,"Consul,Consul Enterprise",5.8,MEDIUM,0.00046999999904073775,false,,false,false,false,,,false,false,,2024-10-30T21:19:22.576Z,0
CVE-2023-3518,https://securityvulnerability.io/vulnerability/CVE-2023-3518,JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access,"HashiCorp Consul and Consul Enterprise version 1.16.0 presents an issue where the JWT authentication for service mesh incorrectly manages access permissions based on mismatched service identities. This flaw may allow unauthorized access or deny legitimate access to services in the mesh. The vulnerability has been addressed in version 1.16.1, and users are encouraged to upgrade to safeguard against potential exploitation.",Hashicorp,"Consul,Consul Enterprise",7.4,HIGH,0.0007699999841861427,false,,false,false,false,,,false,false,,2023-08-09T16:15:00.000Z,0
CVE-2023-2816,https://securityvulnerability.io/vulnerability/CVE-2023-2816,Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner,"A vulnerability exists in Consul and Consul Enterprise that allows users with service:write permissions to exploit Envoy extensions through service-defaults. This misconfiguration enables unauthorized users to alter remote proxy instances that target the designated services. Consequently, even if these users lack the requisite permissions to make changes to the corresponding services, they can still affect the behavior of these services, leading to potential security risks and unauthorized access.",Hashicorp,"Consul,Consul Enterprise",8.7,HIGH,0.0004900000058114529,false,,false,false,false,,,false,false,,2023-06-02T23:15:00.000Z,0
CVE-2023-1297,https://securityvulnerability.io/vulnerability/CVE-2023-1297," Consul Cluster Peering can Result in Denial of Service","The cluster peering implementation in Consul and Consul Enterprise has a flaw that permits a peer cluster with a service sharing the same name as a local service to corrupt the Consul state. This situation can lead to a disruption in service, effectively resulting in a denial of service. This vulnerability has been addressed in versions 1.14.5 and 1.15.3 of Consul.",Hashicorp,"Consul,Consul Enterprise",4.9,MEDIUM,0.0008999999845400453,false,,false,false,false,,,false,false,,2023-06-02T23:15:00.000Z,0
CVE-2023-0845,https://securityvulnerability.io/vulnerability/CVE-2023-0845,Consul Server Panic when Ingress and API Gateways Configured with Peering,Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.,HashiCorp,"Consul,Consul Enterprise",6.5,MEDIUM,0.001129999989643693,false,,false,false,false,,,false,false,,2023-03-09T16:15:00.000Z,0
CVE-2022-3920,https://securityvulnerability.io/vulnerability/CVE-2022-3920,Consul Peering Imported Nodes/Services Leak,HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.,Hashicorp,"Consul,Consul Enterprise",5.3,MEDIUM,0.0017900000093504786,false,,false,false,false,,,false,false,,2022-11-16T00:15:00.000Z,0
CVE-2021-41803,https://securityvulnerability.io/vulnerability/CVE-2021-41803,Input Validation Flaw in HasciCorp Consul Leading to JWT Claim Vulnerabilities,"An input validation error has been identified in HashiCorp Consul versions ranging from 1.8.1 to 1.11.8, as well as 1.12.4 and 1.13.1. The vulnerability arises when node or segment names are not adequately validated before being interpolated in JSON Web Token (JWT) claim assertions during the auto configuration remote procedure call (RPC). This oversight can potentially lead to unauthorized access or manipulation of sensitive data. Users are advised to update to fixed versions 1.11.9, 1.12.5, or 1.13.2 to secure their deployments against this issue.",Hashicorp,Consul,7.1,HIGH,0.002369999885559082,false,,false,false,false,,,false,false,,2022-09-23T00:00:00.000Z,0
CVE-2022-40716,https://securityvulnerability.io/vulnerability/CVE-2022-40716,Service Mesh Intention Bypass in HashiCorp Consul and Consul Enterprise,"HashiCorp Consul and Consul Enterprise versions up to 1.11.8, 1.12.4, and 1.13.1 are affected by a vulnerability that allows attackers to leverage privileged access to bypass service mesh intentions. This occurs due to the lack of validation for multiple Subject Alternative Name (SAN) URI values in Certificate Signing Requests (CSRs) on the internal RPC endpoint. The issue has been addressed in subsequent releases, specifically versions 1.11.9, 1.12.5, and 1.13.2, reinforcing the importance of timely software updates to mitigate such security risks.",Hashicorp,Consul,6.5,MEDIUM,0.0015399999683722854,false,,false,false,false,,,false,false,,2022-09-23T00:00:00.000Z,0
CVE-2022-38149,https://securityvulnerability.io/vulnerability/CVE-2022-38149,Data Exposure Vulnerability in HashiCorp Consul Template,"The vulnerability in HashiCorp Consul Template allows for the potential exposure of sensitive Vault secrets when improperly processing templates that utilize these secrets. It occurs in specific versions where the method *template.Template.Execute can leak secret data through error messages. This incident highlights the critical importance of proper input validation and the need for secure coding practices to safeguard sensitive information. The issue has been addressed in newer versions, reinforcing the necessity for users to update their installations to mitigate this risk effectively.",Hashicorp,Consul Template,7.5,HIGH,0.0015800000401213765,false,,false,false,false,,,false,false,,2022-08-17T14:30:53.000Z,0
CVE-2022-29153,https://securityvulnerability.io/vulnerability/CVE-2022-29153,Server-Side Request Forgery Vulnerability in HashiCorp Consul and Consul Enterprise,"HashiCorp Consul and Consul Enterprise versions up to 1.9.16, 1.10.9, and 1.11.4 are vulnerable to a server-side request forgery (SSRF). This occurs when the Consul client agent processes redirects from HTTP health check endpoints without proper validation, potentially allowing attackers to manipulate requests and access unauthorized internal services. The issue is resolved in versions 1.9.17, 1.10.10, and 1.11.5.",Hashicorp,Consul,7.5,HIGH,0.03807000070810318,false,,false,false,false,,,false,false,,2022-04-19T00:00:00.000Z,0
CVE-2022-24687,https://securityvulnerability.io/vulnerability/CVE-2022-24687,Service Registration Vulnerability in HashiCorp Consul and Consul Enterprise,"A vulnerability exists in HashiCorp Consul and Consul Enterprise versions 1.9.0 through 1.9.14, 1.10.7, and 1.11.2, affecting clusters with at least one Ingress Gateway. A user with 'service:write' permissions can register a specifically defined service that may lead to a panic condition on the Consul servers, potentially causing them to shut down unexpectedly. This issue is addressed in versions 1.9.15, 1.10.8, and 1.11.3.",Hashicorp,Consul,6.5,MEDIUM,0.003019999945536256,false,,false,false,false,,,false,false,,2022-02-24T15:37:51.000Z,0
CVE-2021-41805,https://securityvulnerability.io/vulnerability/CVE-2021-41805,Access Control Flaw in HashiCorp Consul Enterprise Affects Multiple Versions,"An access control vulnerability in HashiCorp Consul Enterprise allows a malicious actor to exploit ACL tokens with default operator:write permissions. This oversight permits privilege escalation across different namespaces, putting user data and system integrity at risk, as users can inadvertently gain elevated permissions beyond their intended access.",Hashicorp,Consul,8.8,HIGH,0.001970000099390745,false,,false,false,true,2022-12-07T10:50:17.000Z,true,false,false,,2021-12-12T04:51:21.000Z,0
CVE-2021-38698,https://securityvulnerability.io/vulnerability/CVE-2021-38698,Improper Authorization in HashiCorp Consul and Consul Enterprise,"An improper authorization issue in HashiCorp Consul and Consul Enterprise versions prior to 1.10.2 allowed services to register proxies for other services via the Txn.Apply endpoint. This vulnerability facilitated unauthorized access to service traffic, potentially exposing sensitive system interactions and compromising overall system integrity. Users are advised to upgrade to versions 1.8.15, 1.9.9, or 1.10.2 to mitigate this risk.",Hashicorp,Consul,6.5,MEDIUM,0.0010300000431016088,false,,false,false,false,,,false,false,,2021-09-07T11:45:14.000Z,0
CVE-2021-37219,https://securityvulnerability.io/vulnerability/CVE-2021-37219,Privilege Escalation in HashiCorp Consul and Consul Enterprise,"The vulnerability in HashiCorp Consul and Consul Enterprise version 1.10.1 relates to the Raft RPC layer, where non-server agents equipped with a valid certificate from the same Certificate Authority can gain access to functionalities restricted to server agents. This flaw allows unauthorized escalation of privileges, potentially compromising the integrity of the system. It has been addressed in subsequent releases: versions 1.8.15, 1.9.9, and 1.10.2.",Hashicorp,Consul,8.8,HIGH,0.001970000099390745,false,,false,false,false,,,false,false,,2021-09-07T11:33:26.000Z,0
CVE-2021-36213,https://securityvulnerability.io/vulnerability/CVE-2021-36213,Application-Aware Intention Deny Action Flaw in HashiCorp Consul and Consul Enterprise,"The assignment of a default deny policy in HashiCorp Consul and Consul Enterprise versions from 1.9.0 to 1.10.0 is flawed. When combined with a single L7 application-aware intention deny action, this flaw leads to the incorrect evaluation of the intention, causing it to improperly fail open. As a result, Layer 4 (L4) traffic, which should be restricted, is inadvertently allowed to pass through, potentially exposing the environment to malicious access. This issue has been addressed in versions 1.9.8 and 1.10.1.",Hashicorp,Consul,7.5,HIGH,0.0011099999537691474,false,,false,false,false,,,false,false,,2021-07-17T17:32:36.000Z,0
CVE-2021-32574,https://securityvulnerability.io/vulnerability/CVE-2021-32574,Envoy Proxy TLS Configuration Issue in HashiCorp Consul,"An issue in the Envoy proxy TLS configuration of HashiCorp Consul and Consul Enterprise allows for the potential failure to properly validate the destination service identity within the encoded subject alternative name. This lack of validation may lead to security risks and could affect the communication integrity between services. The vulnerability has been addressed in the following versions: 1.8.14, 1.9.8, and 1.10.1, ensuring improved validation processes.",Hashicorp,Consul,7.5,HIGH,0.001610000035725534,false,,false,false,false,,,false,false,,2021-07-17T17:28:11.000Z,0
CVE-2021-28156,https://securityvulnerability.io/vulnerability/CVE-2021-28156,Audit Log Bypass Vulnerability in HashiCorp Consul Enterprise,"The audit log in HashiCorp Consul Enterprise versions between 1.8.0 and 1.9.4 is susceptible to bypassing through specially crafted HTTP events. This vulnerability allows unauthorized access to sensitive log data, potentially compromising system integrity and confidentiality. For mitigation, users are advised to upgrade to Consul Enterprise version 1.9.5 or 1.8.10, which address this issue effectively.",Hashicorp,Consul,7.5,HIGH,0.0027199999894946814,false,,false,false,false,,,false,false,,2021-04-20T15:02:58.000Z,0
CVE-2020-25864,https://securityvulnerability.io/vulnerability/CVE-2020-25864,Cross-Site Scripting Vulnerability in HashiCorp Consul and Consul Enterprise,"The key-value (KV) raw mode in HashiCorp Consul and Consul Enterprise prior to version 1.9.5 is susceptible to cross-site scripting vulnerabilities, which may allow attackers to inject malicious scripts into web applications. This poses a significant risk, enabling unauthorized actions and data theft. Users are advised to upgrade to versions 1.9.5, 1.8.10, or 1.7.14 to mitigate these security concerns.",Hashicorp,Consul,6.1,MEDIUM,0.0762299969792366,false,,false,false,false,,,false,false,,2021-04-20T13:07:21.000Z,0
CVE-2020-29564,https://securityvulnerability.io/vulnerability/CVE-2020-29564,Remote Code Execution Risk in Consul Docker Images from HashiCorp,"The Consul Docker images from HashiCorp, specifically versions 0.7.1 through 1.4.2, are susceptible to a significant security issue due to a default blank password for the root user. This vulnerability allows attackers to exploit the Docker container and gain unauthorized root access remotely, posing serious risks to the integrity and confidentiality of the system. Organizations using these affected versions should take immediate action to secure their deployments by either applying necessary patches or implementing stringent access controls.",Hashicorp,Consul Docker Image,9.8,CRITICAL,0.00343000004068017,false,,false,false,false,,,false,false,,2020-12-08T15:26:59.000Z,0
CVE-2020-28053,https://securityvulnerability.io/vulnerability/CVE-2020-28053,Improper Access Control in HashiCorp Consul and Consul Enterprise,"An improper access control vulnerability in HashiCorp Consul and Consul Enterprise versions 1.2.0 through 1.8.5 allows operators with limited ACL permissions to access the Connect CA private key configuration. This exposure can lead to unauthorized access and potential abuse of the security features provided by Consul, compromising the integrity of service-to-service communication. The issue has been resolved in versions 1.6.10, 1.7.10, and 1.8.6.",Hashicorp,Consul,6.5,MEDIUM,0.0010400000028312206,false,,false,false,false,,,false,false,,2020-11-23T13:11:27.000Z,0
CVE-2020-25201,https://securityvulnerability.io/vulnerability/CVE-2020-25201,Denial of Service Vulnerability in HashiCorp Consul Enterprise,"A denial of service vulnerability exists in HashiCorp Consul Enterprise versions ranging from 1.7.0 to 1.8.4, due to a namespace replication bug. This issue can be exploited through continuous Raft writes, potentially leading to performance degradation or complete service outage. The vulnerability has been addressed in versions 1.7.9 and 1.8.5, and all users are encouraged to update to these versions to mitigate the risk.",Hashicorp,Consul,7.5,HIGH,0.0018400000408291817,false,,false,false,false,,,false,false,,2020-11-04T22:32:10.000Z,0
CVE-2020-13170,https://securityvulnerability.io/vulnerability/CVE-2020-13170,,"HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.",Hashicorp,Consul,7.5,HIGH,0.0011500000255182385,false,,false,false,false,,,false,false,,2020-06-11T19:41:25.000Z,0
CVE-2020-12797,https://securityvulnerability.io/vulnerability/CVE-2020-12797,,"HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.",Hashicorp,Consul,5.3,MEDIUM,0.0011500000255182385,false,,false,false,false,,,false,false,,2020-06-11T19:37:19.000Z,0