Vulnerabilities > Hashicorp > Consul > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-2816 | Unspecified vulnerability in Hashicorp Consul 1.15.0 Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies. | 6.5 |
| 2023-03-09 | CVE-2023-0845 | NULL Pointer Dereference vulnerability in Hashicorp Consul Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. | 6.5 |
| 2022-09-23 | CVE-2022-40716 | Unchecked Return Value vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. | 6.5 |
| 2022-02-24 | CVE-2022-24687 | Unspecified vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. | 6.5 |
| 2021-12-12 | CVE-2021-41805 | Incorrect Authorization vulnerability in Hashicorp Consul HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. | 6.5 |
| 2021-09-07 | CVE-2021-37219 | Improper Certificate Validation vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. | 6.5 |
| 2021-09-07 | CVE-2021-38698 | Missing Authorization vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. | 4.0 |
| 2021-07-17 | CVE-2021-36213 | Unspecified vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. | 5.0 |
| 2021-04-20 | CVE-2020-25864 | Cross-site Scripting vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. | 6.1 |
| 2020-11-23 | CVE-2020-28053 | Incorrect Authorization vulnerability in Hashicorp Consul HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. | 6.5 |