Fluid Attacks Database

Description

Allocation of Resources Without Limits or Throttling in Hashicorp Consul HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service.

Specific Go Packages Affected

github.com/hashicorp/consul/agent/config

Fix

The vulnerability is fixed in versions 1.6.6 and 1.7.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/consul/config	>=1.2.0 <1.6.6 \|\| >=1.7.0 <1.7.4	v1.6.6, v1.7.4
debian 11	consul	>=0 <1.7.4+dfsg1-1	1.7.4+dfsg1-1
go	github.com/hashicorp/consul	>=1.2.0 <1.6.6 \|\| >=1.7.0 <1.7.4	1.6.6, 1.7.4
go	github.com/hashicorp/consul/agent/config	>=1.2.0 <1.6.6 \|\| >=1.7.0 <1.7.4	1.6.6, 1.7.4

Aliases

1. CVE-2020-132502. NVD-2020-132503. OSV-2020-132504. OSV-DEBIAN-2020-132505. GHSA-rqjq-mrgx-85hp6. GCVE-2020-132507. SECURITY-TRACKER-CVE-2020-13250

References

1. https://github.com/hashicorp/consul/pull/80232. https://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef469414323. https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md4. https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md