Token Scope Enforcement Flaw in HashiCorp Consul and Consul Enterprise
CVE-2020-13170

7.5HIGH

Key Information:

Vendor
Hashicorp
Status
Consul
Vendor
CVE Published:
11 June 2020

Summary

A flaw in HashiCorp Consul and Consul Enterprise allows local tokens issued by a primary data center to bypass scope enforcement when replication to a secondary data center is disabled. This issue impacts versions 1.4.0 through 1.6.5, making it crucial for users to update to version 1.6.6 or higher to mitigate potential risks associated with unauthorized token access. Detailed changelogs from GitHub provide insights into the resolution of this vulnerability.

References

https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
x_refsource_CONFIRM
https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md
x_refsource_CONFIRM
https://github.com/hashicorp/consul/pull/8068
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.