Advisories for Golang/Github.com/Hashicorp/Consul/Acl package

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2.

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

HashiCorp Consul Enterprise has an Incorrect Access Control vulnerability. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

HashiCorp Consul and Consul Enterprise's Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.

HashiCorp Consul and Consul Enterprise's Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation.

HashiCorp Consul and Consul Enterprise default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic.

HashiCorp Consul and Consul Enterprise's Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name.

HashiCorp Consul Enterprise's audit log can be bypassed by specifically crafted HTTP events. An attacker could maliciously craft valid HTTP requests with specific parameters which cause the HTTP event to be incorrectly excluded from Consul Enterprise’s audit log.

A vulnerability was identified in Consul and Consul Enterprise such that a specially crafted key-value entry could be used to perform a cross-site scripting (XSS) attack when viewed in Consul KV API’s raw mode.

An issue was discovered in GoGo Protobuf plugin/unmarshal/unmarshal.go lacks certain index validation, aka the skippy peanut butter issue.

HashiCorp Consul and Consul Enterprise allowed operators with operator:read ACL permissions to read the Connect CA private key configuration

HashiCorp Consul Enterprise up to includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes.

HashiCorp Consul and Consul Enterprise does not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure.