apk package
chainguard/consul-1.22-oci-entrypoint-compat
pkg:apk/chainguard/consul-1.22-oci-entrypoint-compat
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61727 | — | < 1.22.1-r1 | 1.22.1-r1 | Dec 3, 2025 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | ||
| CVE-2025-61729 | — | < 1.22.1-r1 | 1.22.1-r1 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-11374 | — | < 1.22.1-r2 | 1.22.1-r2 | Oct 28, 2025 | Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 an | ||
| CVE-2025-11375 | — | < 1.22.1-r2 | 1.22.1-r2 | Oct 28, 2025 | Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20. | ||
| CVE-2024-10086 | — | < 1.22.1-r2 | 1.22.1-r2 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | ||
| CVE-2024-10006 | — | < 1.22.1-r2 | 1.22.1-r2 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | ||
| CVE-2024-10005 | — | < 1.22.1-r2 | 1.22.1-r2 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. |
- CVE-2025-61727Dec 3, 2025affected < 1.22.1-r1fixed 1.22.1-r1
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- CVE-2025-61729Dec 2, 2025affected < 1.22.1-r1fixed 1.22.1-r1
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- CVE-2025-11374Oct 28, 2025affected < 1.22.1-r2fixed 1.22.1-r2
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 an
- CVE-2025-11375Oct 28, 2025affected < 1.22.1-r2fixed 1.22.1-r2
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.
- CVE-2024-10086Oct 30, 2024affected < 1.22.1-r2fixed 1.22.1-r2
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
- CVE-2024-10006Oct 30, 2024affected < 1.22.1-r2fixed 1.22.1-r2
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
- CVE-2024-10005Oct 30, 2024affected < 1.22.1-r2fixed 1.22.1-r2
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.