PT-2020-13371 · Hashicorp+1 · Hashicorp Consul Enterprise+2
Published
2020-06-11
·
Updated
2024-08-21
·
CVE-2020-13170
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
HashiCorp Consul and Consul Enterprise versions 1.4.0 through 1.6.5
HashiCorp Consul and Consul Enterprise versions 1.7.0 through 1.7.3
Description
The issue arises from the improper enforcement of scope for local tokens issued by a primary data center when replication to a secondary data center is not enabled. This affects the github.com/hashicorp/consul/agent package. The problem is related to improper input validation in HashiCorp Consul.
Recommendations
For HashiCorp Consul and Consul Enterprise versions 1.4.0 through 1.6.5, update to version 1.6.6 or later.
For HashiCorp Consul and Consul Enterprise versions 1.7.0 through 1.7.3, update to version 1.7.4 or later.
As a temporary workaround, consider restricting access to local tokens issued by the primary data center until the issue is resolved.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Hashicorp Consul Enterprise
Hashicorp Consul