VYPR

apk package

chainguard/consul-1.17

pkg:apk/chainguard/consul-1.17

Vulnerabilities (39)

  • CVE-2023-45288HigApr 4, 2024
    affected < 1.17.4-r1fixed 1.17.4-r1

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma

  • CVE-2024-28180Mar 9, 2024
    affected < 1.17.4-r4fixed 1.17.4-r4

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret

  • CVE-2024-24786HigMar 5, 2024
    affected < 1.17.3-r2fixed 1.17.3-r2

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2024-24785MedMar 5, 2024
    affected < 1.17.3-r1fixed 1.17.3-r1

    If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

  • CVE-2024-24784HigMar 5, 2024
    affected < 1.17.3-r1fixed 1.17.3-r1

    The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

  • CVE-2024-24783MedMar 5, 2024
    affected < 1.17.3-r1fixed 1.17.3-r1

    Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul

  • CVE-2023-45290MedMar 5, 2024
    affected < 1.17.3-r1fixed 1.17.3-r1

    When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line

  • CVE-2023-45289MedMar 5, 2024
    affected < 1.17.3-r1fixed 1.17.3-r1

    When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati

  • CVE-2023-1297Jun 2, 2023
    affected < 0fixed 0

    Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

  • CVE-2022-40716Sep 23, 2022
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

  • CVE-2022-29153Apr 19, 2022
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

  • CVE-2021-38698Sep 7, 2021
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-37219Sep 7, 2021
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-36213Jul 17, 2021
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.

  • CVE-2021-32574Jul 17, 2021
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

  • CVE-2020-25864Apr 20, 2021
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

  • CVE-2020-8559Jul 22, 2020
    affected < 1.17.4-r34fixed 1.17.4-r34

    The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

  • CVE-2020-7219Jan 31, 2020
    affected < 0fixed 0

    HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.

  • CVE-2019-9764Mar 26, 2019
    affected < 0fixed 0

    HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.

Page 2 of 2