Fluid Attacks Database

Description

HashiCorp Consul can use cleartext agent-to-agent RPC communication HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	consul	>=0 <1.4.4~dfsg1-1	1.4.4~dfsg1-1
go	github.com/hashicorp/consul	>=0.5.1 <1.4.1	1.4.1

Aliases

1. CVE-2018-196532. NVD-2018-196533. OSV-DEBIAN-2018-196534. OSV-2018-196535. GCVE-2018-196536. SECURITY-TRACKER-CVE-2018-19653

References

1. https://github.com/hashicorp/consul/pull/50692. https://github.com/hashicorp/consul/commit/b64e8b262f80397eab4f39c6ae7e14683cb9f55c3. https://groups.google.com/forum/#!topic/consul-tool/7TCw06oio0I

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.