Package consul updated to version 1.4.3-alt1 for branch sisyphus in task 225126.

Published: 2018-12-09
Modified: 2024-11-21

CVE-2018-19653

HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.

Severity: MEDIUM (5.9) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References:

https://github.com/hashicorp/consul/pull/5069
https://github.com/hashicorp/consul/pull/5069
https://groups.google.com/forum/#%21topic/consul-tool/7TCw06oio0I
https://groups.google.com/forum/#%21topic/consul-tool/7TCw06oio0I

Published: 2019-03-06
Modified: 2024-11-21

CVE-2019-8336

HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally "" as its secret is used in unusual circumstances.

Severity: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

https://github.com/hashicorp/consul/issues/5423
https://github.com/hashicorp/consul/issues/5423

Version: 2.1.0

Package consul update in sisyphus on 2019-03-16

ALT-PU-2019-1446-1

Closed vulnerabilities

CVE-2018-19653

CVE-2019-8336