CVE-2020-7219
Description
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HashiCorp Consul and Consul Enterprise <=1.6.2 are vulnerable to unauthenticated denial of service due to unbounded resource usage in HTTP/RPC services.
Vulnerability
Details
HashiCorp Consul and Consul Enterprise up to version 1.6.2 contain a vulnerability in their HTTP and RPC services that allows unbounded resource usage [1][2]. An internal security review identified that a Consul server could be overwhelmed by excessive resource consumption when handling many connections, leading to a denial of service condition [2].
Exploitation
Exploitation does not require authentication. Any party with network-level connectivity to a Consul server can launch an attack simply by establishing many unauthenticated HTTP or RPC connections [2]. This generates excessive load, potentially crashing the server and disrupting services [2].
Impact
Successful exploitation affects only availability; confidentiality and data integrity remain intact [2]. However, the denial of service can render the Consul cluster unresponsive, impacting dependent infrastructure.
Mitigation
Upgrading to Consul or Consul Enterprise 1.6.3 or newer resolves the issue [2]. The fix introduces new configuration options such as rpc_max_conns_per_client, rpc_handshake_timeout, http_max_conns_per_client, and https_handshake_timeout to help mitigate resource exhaustion [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/consulGo | < 1.6.3 | 1.6.3 |
Affected products
27- HashiCorp/Consul Enterprisedescription
- osv-coords26 versionspkg:apk/chainguard/consul-1.15pkg:apk/chainguard/consul-1.15-oci-entrypointpkg:apk/chainguard/consul-1.15-oci-entrypoint-compatpkg:apk/chainguard/consul-1.16pkg:apk/chainguard/consul-1.16-oci-entrypointpkg:apk/chainguard/consul-1.16-oci-entrypoint-compatpkg:apk/chainguard/consul-1.17pkg:apk/chainguard/consul-1.17-fipspkg:apk/chainguard/consul-1.17-fips-oci-entrypointpkg:apk/chainguard/consul-1.17-fips-oci-entrypoint-compatpkg:apk/chainguard/consul-1.17-oci-entrypointpkg:apk/chainguard/consul-1.17-oci-entrypoint-compatpkg:apk/chainguard/k3dpkg:apk/chainguard/k3d-proxypkg:apk/chainguard/k3d-toolspkg:apk/wolfi/consul-1.15pkg:apk/wolfi/consul-1.15-oci-entrypointpkg:apk/wolfi/consul-1.15-oci-entrypoint-compatpkg:apk/wolfi/consul-1.16pkg:apk/wolfi/consul-1.16-oci-entrypointpkg:apk/wolfi/consul-1.16-oci-entrypoint-compatpkg:apk/wolfi/k3dpkg:apk/wolfi/k3d-proxypkg:apk/wolfi/k3d-toolspkg:bitnami/consulpkg:golang/github.com/hashicorp/consul
< 1.15.11-r5+ 25 more
- (no CPE)range: < 1.15.11-r5
- (no CPE)range: < 1.15.11-r5
- (no CPE)range: < 1.15.11-r5
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.15.11-r5
- (no CPE)range: < 1.15.11-r5
- (no CPE)range: < 1.15.11-r5
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 5.6.0-r11
- (no CPE)range: < 1.6.2
- (no CPE)range: < 1.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-23jv-v6qj-3fhhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7219ghsaADVISORY
- github.com/hashicorp/consul/issues/7159ghsax_refsource_MISCWEB
- www.hashicorp.com/blog/category/consulghsaWEB
- www.hashicorp.com/blog/category/consul/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.