ALT-PU-2021-3445-1
Closed vulnerabilities
BDU:2021-04800
Уязвимость функции библиотеки GoGo Protobuf, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации
BDU:2022-01882
Уязвимость прокси-сервера Envoy инструмента настройки сервисов Consul, позволяющая нарушителю оказать воздействие на целостность данных
Modified: 2024-11-21
CVE-2020-25864
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
- https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368
- https://discuss.hashicorp.com/t/hcsec-2021-07-consul-api-kv-endpoint-vulnerable-to-cross-site-scripting/23368
- GLSA-202208-09
- GLSA-202208-09
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul
Modified: 2024-11-21
CVE-2021-28156
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.
- https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369
- https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369
- GLSA-202208-09
- GLSA-202208-09
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul
Modified: 2024-11-21
CVE-2021-3121
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
- https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025
- https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025
- https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
- https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
- https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2
- https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2
- [skywalking-notifications] 20211018 [GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities
- [skywalking-notifications] 20211018 [GitHub] [skywalking-swck] hanahmily opened a new pull request #37: Fix vulnerabilities
- [pulsar-commits] 20210121 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2
- [pulsar-commits] 20210121 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2
- [pulsar-commits] 20210122 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2
- [pulsar-commits] 20210122 [GitHub] [pulsar-client-go] hrsakai opened a new pull request #446: Upgrade gogo/protobuf to 1.3.2
- https://security.netapp.com/advisory/ntap-20210219-0006/
- https://security.netapp.com/advisory/ntap-20210219-0006/
Modified: 2024-11-21
CVE-2021-32574
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
- https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
- https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
- https://github.com/hashicorp/consul/releases/tag/v1.10.1
- https://github.com/hashicorp/consul/releases/tag/v1.10.1
- GLSA-202208-09
- GLSA-202208-09
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul
Modified: 2024-11-21
CVE-2021-37219
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
- https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
- https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
- GLSA-202207-01
- GLSA-202207-01
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul
Modified: 2024-11-21
CVE-2021-38698
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
- https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
- https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
- GLSA-202208-09
- GLSA-202208-09
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul
Modified: 2024-11-21
CVE-2021-41805
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
- https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871
- https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871
- https://security.netapp.com/advisory/ntap-20211229-0007/
- https://security.netapp.com/advisory/ntap-20211229-0007/
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul