apk package
chainguard/consul-1.15-oci-entrypoint-compat
pkg:apk/chainguard/consul-1.15-oci-entrypoint-compat
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-6104 | — | < 1.15.11-r6 | 1.15.11-r6 | Jun 24, 2024 | go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. | ||
| CVE-2024-0874 | Med | 5.3 | < 1.15.11-r2 | 1.15.11-r2 | Apr 25, 2024 | A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. | |
| CVE-2023-45288 | Hig | 7.5 | < 1.15.11-r2 | 1.15.11-r2 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-24786 | Hig | 7.5 | < 1.15.10-r2 | 1.15.10-r2 | Mar 5, 2024 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | |
| CVE-2023-45284 | — | < 0 | 0 | Nov 9, 2023 | On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr | ||
| CVE-2023-45283 | — | < 0 | 0 | Nov 9, 2023 | The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, | ||
| CVE-2023-39325 | — | < 1.15.6-r3 | 1.15.6-r3 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-3978 | — | < 1.15.6-r3 | 1.15.6-r3 | Aug 2, 2023 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||
| CVE-2023-1297 | — | < 0 | 0 | Jun 2, 2023 | Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3 | ||
| CVE-2023-0845 | — | < 1.15.5-r0 | 1.15.5-r0 | Mar 9, 2023 | Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5. | ||
| CVE-2022-3920 | — | < 1.15.5-r0 | 1.15.5-r0 | Nov 15, 2022 | HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. | ||
| CVE-2022-40716 | — | < 0 | 0 | Sep 23, 2022 | HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2." | ||
| CVE-2022-29153 | — | < 1.15.11-r5 | 1.15.11-r5 | Apr 19, 2022 | HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. | ||
| CVE-2021-38698 | — | < 1.15.11-r5 | 1.15.11-r5 | Sep 7, 2021 | HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | ||
| CVE-2021-37219 | — | < 1.15.11-r5 | 1.15.11-r5 | Sep 7, 2021 | HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | ||
| CVE-2021-36213 | — | < 1.15.11-r5 | 1.15.11-r5 | Jul 17, 2021 | HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | ||
| CVE-2021-32574 | — | < 1.15.11-r5 | 1.15.11-r5 | Jul 17, 2021 | HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | ||
| CVE-2020-25864 | — | < 1.15.11-r5 | 1.15.11-r5 | Apr 20, 2021 | HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | ||
| CVE-2020-7219 | — | < 1.15.11-r5 | 1.15.11-r5 | Jan 31, 2020 | HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. | ||
| CVE-2019-9764 | — | < 1.15.11-r5 | 1.15.11-r5 | Mar 26, 2019 | HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4. |
- CVE-2024-6104Jun 24, 2024affected < 1.15.11-r6fixed 1.15.11-r6
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
- affected < 1.15.11-r2fixed 1.15.11-r2
A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.
- affected < 1.15.11-r2fixed 1.15.11-r2
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- affected < 1.15.10-r2fixed 1.15.10-r2
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
- CVE-2023-45284Nov 9, 2023affected < 0fixed 0
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
- CVE-2023-45283Nov 9, 2023affected < 0fixed 0
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
- CVE-2023-39325Oct 11, 2023affected < 1.15.6-r3fixed 1.15.6-r3
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- CVE-2023-3978Aug 2, 2023affected < 1.15.6-r3fixed 1.15.6-r3
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
- CVE-2023-1297Jun 2, 2023affected < 0fixed 0
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3
- CVE-2023-0845Mar 9, 2023affected < 1.15.5-r0fixed 1.15.5-r0
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.
- CVE-2022-3920Nov 15, 2022affected < 1.15.5-r0fixed 1.15.5-r0
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.
- CVE-2022-40716Sep 23, 2022affected < 0fixed 0
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
- CVE-2022-29153Apr 19, 2022affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
- CVE-2021-38698Sep 7, 2021affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
- CVE-2021-37219Sep 7, 2021affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
- CVE-2021-36213Jul 17, 2021affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
- CVE-2021-32574Jul 17, 2021affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
- CVE-2020-25864Apr 20, 2021affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
- CVE-2020-7219Jan 31, 2020affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
- CVE-2019-9764Mar 26, 2019affected < 1.15.11-r5fixed 1.15.11-r5
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.