CVE-2019-12291

Name of the Vulnerable Software and Affected Versions HashiCorp Consul versions 1.4.0 through 1.5.0

Description The issue is related to Incorrect Access Control in HashiCorp Consul. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy, even with default deny settings configured. This affects the github.com/hashicorp/consul and github.com/hashicorp/consul/acl packages.

Recommendations For HashiCorp Consul versions 1.4.0 through 1.5.0, consider restricting access to the ACL rules used for prefix matching in policies to minimize the risk of unauthorized key deletion. As a temporary workaround, review and adjust the default deny settings and policy configurations to ensure proper access control. At the moment, there is no information about a newer version that contains a fix for this vulnerability.