chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (main) #100
+456
−86
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.5.1
->v1.14.5
Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
BIT-consul-2020-7219 / CVE-2020-7219 / GHSA-23jv-v6qj-3fhh / GO-2022-0776
More information
Details
Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Denial of Service (DoS) in HashiCorp Consul
BIT-consul-2020-7219 / CVE-2020-7219 / GHSA-23jv-v6qj-3fhh / GO-2022-0776
More information
Details
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul
BIT-consul-2020-7955 / CVE-2020-7955 / GHSA-r9w6-rhh9-7v53 / GO-2022-0874
More information
Details
Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Incorrect Authorization in HashiCorp Consul
BIT-consul-2020-7955 / CVE-2020-7955 / GHSA-r9w6-rhh9-7v53 / GO-2022-0874
More information
Details
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Allocation of Resources Without Limits or Throttling in Hashicorp Consul
BIT-consul-2020-13250 / CVE-2020-13250 / GHSA-rqjq-mrgx-85hp / GO-2022-0879
More information
Details
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service.
Specific Go Packages Affected
github.com/hashicorp/consul/agent/config
Fix
The vulnerability is fixed in versions 1.6.6 and 1.7.4.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Allocation of Resources Without Limits or Throttling in Hashicorp Consul in github.com/hashicorp/consul
BIT-consul-2020-13250 / CVE-2020-13250 / GHSA-rqjq-mrgx-85hp / GO-2022-0879
More information
Details
Allocation of Resources Without Limits or Throttling in Hashicorp Consul in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul
BIT-consul-2020-28053 / CVE-2020-28053 / GHSA-6m72-467w-94rh / GO-2024-2505
More information
Details
Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Privilege Escalation in HashiCorp Consul
BIT-consul-2020-28053 / CVE-2020-28053 / GHSA-6m72-467w-94rh / GO-2024-2505
More information
Details
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
BIT-consul-2020-25864 / CVE-2020-25864 / GHSA-8xmx-h8rq-h94j / GO-2023-1851
More information
Details
HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Consul Cross-site Scripting vulnerability
BIT-consul-2020-25864 / CVE-2020-25864 / GHSA-8xmx-h8rq-h94j / GO-2023-1851
More information
Details
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul Privilege Escalation Vulnerability
BIT-consul-2021-37219 / CVE-2021-37219 / GHSA-ccw8-7688-vqx4 / GO-2022-0593
More information
Details
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul
BIT-consul-2021-38698 / CVE-2021-38698 / GHSA-6hw5-6gcx-phmw / GO-2022-0559
More information
Details
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
BIT-consul-2021-38698 / CVE-2021-38698 / GHSA-6hw5-6gcx-phmw / GO-2022-0559
More information
Details
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul Privilege Escalation Vulnerability in github.com/hashicorp/consul
BIT-consul-2021-37219 / CVE-2021-37219 / GHSA-ccw8-7688-vqx4 / GO-2022-0593
More information
Details
HashiCorp Consul Privilege Escalation Vulnerability in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
BIT-consul-2022-29153 / CVE-2022-29153 / GHSA-q6h7-4qgw-2j9p / GO-2022-0615
More information
Details
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
BIT-consul-2022-29153 / CVE-2022-29153 / GHSA-q6h7-4qgw-2j9p / GO-2022-0615
More information
Details
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Consul Missing SSL Certificate Validation
BIT-consul-2021-32574 / CVE-2021-32574 / GHSA-25gf-8qrr-g78r / GO-2022-0894
More information
Details
HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul
BIT-consul-2021-32574 / CVE-2021-32574 / GHSA-25gf-8qrr-g78r / GO-2022-0894
More information
Details
Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Consul L7 deny intention results in an allow action
BIT-consul-2021-36213 / CVE-2021-36213 / GHSA-8h2g-r292-j8xh / GO-2022-0895
More information
Details
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
BIT-consul-2021-36213 / CVE-2021-36213 / GHSA-8h2g-r292-j8xh / GO-2022-0895
More information
Details
HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Consul vulnerable to authorization bypass
BIT-consul-2022-40716 / CVE-2022-40716 / GHSA-m69r-9g56-7mv8 / GO-2022-1029
More information
Details
HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul
BIT-consul-2022-40716 / CVE-2022-40716 / GHSA-m69r-9g56-7mv8 / GO-2022-1029
More information
Details
HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul
BIT-consul-2023-1297 / CVE-2023-1297 / GHSA-c57c-7hrj-6q6v / GO-2023-1827
More information
Details
Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hashicorp Consul vulnerable to denial of service
BIT-consul-2023-1297 / CVE-2023-1297 / GHSA-c57c-7hrj-6q6v / GO-2023-1827
More information
Details
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
hashicorp/consul (github.com/hashicorp/consul)
v1.14.5
Compare Source
1.14.5 (March 7, 2023)
SECURITY:
This resolves vulnerabilities CVE-2022-41724 in
crypto/tls
and CVE-2022-41723 innet/http
. [GH-16263]IMPROVEMENTS:
BUG FIXES:
v1.14.4
Compare Source
1.14.4 (January 26, 2023)
BREAKING CHANGES:
name
field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. [GH-15697]FEATURES:
envoy-ready-bind-port
andenvoy-ready-bind-address
to theconsul connect envoy
command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]IMPROVEMENTS:
WatchServers
,WatchRoots
andGetSupportedDataplaneFeatures
gRPC endpoints to accept any valid ACL token [GH-15346]if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]
BUG FIXES:
consul connect envoy
was unable to configure TLS over unix-sockets to gRPC. [GH-15913]v1.14.3
Compare Source
1.14.3 (December 13, 2022)
SECURITY:
golang.org/x/net
to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15737]FEATURES:
IMPROVEMENTS:
BUG FIXES:
v1.14.2
Compare Source
1.14.2 (November 30, 2022)
FEATURES:
connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout [GH-14340]
IMPROVEMENTS:
.service
and.node
DNS queries. [GH-15596]BUG FIXES:
consul partition update
subcommand was not registered and therefore not available through the cli.v1.14.1
Compare Source
1.14.1 (November 21, 2022)
BUG FIXES:
consul connect envoy
incorrectly uses the HTTPS API configuration for xDS connections. [GH-15466]v1.14.0
Compare Source
1.14.0 (November 15, 2022)
BREAKING CHANGES:
ports.grpc_tls
configuration option.Introduce a new port to better separate TLS config from the existing
ports.grpc
config.The new
ports.grpc_tls
only supports TLS encrypted communication.The existing
ports.grpc
now only supports plain-text communication. [GH-15339]peering
andconnect
by default. [GH-15302]PeerName
toPeer
on prepared queries and exported services. [GH-14854]changes the names of some Envoy dynamic HTTP metrics. [GH-14178]
SECURITY:
FEATURES:
-consul-dns-port
flag to theconsul connect redirect-traffic
command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]server_type=internal|external
label to gRPC metrics. [GH-14922]get-or-empty
operation to the txn api. Refer to the API docs for more information. [GH-14474]iptables
to forward DNS traffic to a specific DNS port. [GH-15050]IMPROVEMENTS:
xds.update_max_per_second
config field) [GH-14960]Failover
s andRedirect
s onlyspecify
Partition
andNamespace
on Consul Enterprise. This prevents scenarioswhere OSS Consul would save service-resolvers that require Consul Enterprise. [[Configure Renovate #1
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.