CVE-2020-28053

Incorrect Authorization in go/github.com/hashicorp/consul

Identifiers

GHSA-6m72-467w-94rh, CVE-2020-28053

Package Slug

go/github.com/hashicorp/consul

Vulnerability

Incorrect Authorization

Description

HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.

Affected Versions

All versions starting from 1.2.0 before 1.6.10, all versions starting from 1.7.0 before 1.7.10, all versions starting from 1.8.0 before 1.8.6

Solution

Upgrade to versions 1.6.10, 1.7.10, 1.8.6 or above.

Last Modified

2024-02-01

source