Headline
GHSA-6m72-467w-94rh: Privilege Escalation in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2020-28053
Privilege Escalation in HashiCorp Consul
Moderate severity GitHub Reviewed Published Jan 31, 2024 to the GitHub Advisory Database • Updated Jan 31, 2024
Package
gomod github.com/hashicorp/consul (Go)
Affected versions
>= 1.2.0, < 1.6.10
>= 1.7.0, < 1.7.10
>= 1.8.0, < 1.8.6
Patched versions
1.6.10
1.7.10
1.8.6
Description
Published to the GitHub Advisory Database
Jan 31, 2024
Last updated
Jan 31, 2024
Related news
Gentoo Linux Security Advisory 202208-9 - Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service. Versions less than 1.9.17 are affected.
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.