apk package
chainguard/consul-fips-1.21
pkg:apk/chainguard/consul-fips-1.21
Vulnerabilities (45)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-4673 | Med | 6.8 | < 1.21.1-r1 | 1.21.1-r1 | Jun 11, 2025 | Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. | |
| CVE-2025-22874 | Hig | 7.5 | < 1.21.1-r1 | 1.21.1-r1 | Jun 11, 2025 | Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. | |
| CVE-2024-10086 | — | < 1.21.5-r6 | 1.21.5-r6 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. | ||
| CVE-2024-10006 | — | < 1.21.5-r6 | 1.21.5-r6 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | ||
| CVE-2024-10005 | — | < 1.21.5-r6 | 1.21.5-r6 | Oct 30, 2024 | A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. |
- affected < 1.21.1-r1fixed 1.21.1-r1
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
- affected < 1.21.1-r1fixed 1.21.1-r1
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
- CVE-2024-10086Oct 30, 2024affected < 1.21.5-r6fixed 1.21.5-r6
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.
- CVE-2024-10006Oct 30, 2024affected < 1.21.5-r6fixed 1.21.5-r6
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.
- CVE-2024-10005Oct 30, 2024affected < 1.21.5-r6fixed 1.21.5-r6
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
Page 3 of 3