CVE-2020-25864

Vulnerability

HashiCorp Consul and Consul Enterprise versions up to and including 1.9.4 are vulnerable to cross-site scripting (XSS) in the key-value (KV) API when using the raw mode. The KV API's raw parameter serves a KV-indexed object without a JSON wrapper, making it possible to inject arbitrary HTML/JavaScript through a specially crafted key-value entry [1][3].

Exploitation

An attacker must have write access to the Consul KV store to create a malicious key-value entry containing an XSS payload. When a user (such as an administrator) accesses that key via the KV API with the raw parameter, the payload is rendered by the browser, allowing the attacker to execute arbitrary scripts in the context of the Consul web interface or endpoint [3].

Impact

Successful exploitation enables an attacker to perform arbitrary JavaScript execution in the victim's browser session, potentially leading to theft of session tokens, defacement, or further compromise of the Consul environment. The vulnerability does not directly allow remote code execution but can be leveraged for information disclosure and privilege escalation within the context of the user's session [1][3].

Mitigation

HashiCorp has released fixed versions: Consul 1.9.5, 1.8.10, and 1.7.14 [1][3][4]. Users should upgrade to one of these versions or later. There are no known workarounds for this vulnerability. The Gentoo security advisory (GLSA 202208-09) also recommends upgrading to >=app-admin/consul-1.9.17 as later versions include additional fixes [4].