Hanshasselberg

**Name of the Vulnerable Software and Affected Versions** HashiCorp Consul and Consul Enterprise versions 1.4.0 through 1.6.5 HashiCorp Consul and Consul Enterprise versions 1.7.0 through 1.7.3 **Description** The issue arises from HashiCorp Consul and Consul Enterprise failing to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. This was introduced in version 1.4.0. **Recommendations** For versions 1.4.0 through 1.6.5, update to version 1.6.6 or later. For versions 1.7.0 through 1.7.3, update to version 1.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** HashiCorp Consul and Consul Enterprise versions 1.4.1 through 1.6.2 **Description** The issue results from the non-uniform enforcement of Access Control Lists (ACLs) across all API endpoints, potentially leading to unintended information disclosure. **Recommendations** For versions 1.4.1 through 1.6.2, update to version 1.6.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** HashiCorp Consul version 1.4.3 **Description** The issue arises from a lack of server hostname verification for agent-to-agent TLS communication in HashiCorp Consul. This occurs even when the `verify server hostname` setting is set to true, causing the product to behave as if it were set to false. **Recommendations** For HashiCorp Consul version 1.4.3, update to version 1.4.4 to resolve the issue. As a temporary workaround, consider disabling agent-to-agent TLS communication until the update can be applied.