Access Control Logic Flaw in HashiCorp Consul and Consul Enterprise
CVE-2020-12797

5.3MEDIUM

Key Information:

Vendor
Hashicorp
Status
Consul
Vendor
CVE Published:
11 June 2020

Summary

A security issue has been identified in HashiCorp Consul and Consul Enterprise, where changes made to legacy ACL token rules are not properly enforced due to non-propagation to secondary data centers. This flaw could potentially allow unauthorized access to sensitive resources in decentralized environments. The issue was introduced in version 1.4.0 and has been resolved in subsequent releases 1.6.6 and 1.7.4.

References

https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
x_refsource_CONFIRM
https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md
x_refsource_CONFIRM
https://github.com/hashicorp/consul/pull/8047
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.