logo

Database

Improper authorization control for web services In github.com/hashicorp/consul/acl

Description

HashiCorp Consul Incorrect Access Control vulnerability HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

Specific Go Packages Affected

github.com/hashicorp/consul/acl

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-122912. NVD-2019-122913. OSV-2019-122914. OSV-DEBIAN-2019-122915. GHSA-h65h-v7fw-4p386. GCVE-2019-122917. SECURITY-TRACKER-CVE-2019-12291

References

1. https://github.com/hashicorp/consul/issues/58882. https://github.com/hashicorp/consul/commit/36ebca1fd0129278487c6570449bc8cc039878903. https://www.hashicorp.com/blog/category/consul

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.