threat
engine
.sh
Back
·
··:··
Home
/
Product
/
hashicorp consul
Product
hashicorp consul
36 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-11375
< 1.22.0
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum val
6.5
MEDIUM
CVE-2025-11374
< 1.22.0
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Conte
6.5
MEDIUM
CVE-2024-10086
>= 1.4.1 and < 1.20.0
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type
6.1
MEDIUM
CVE-2024-10006
>= 1.4.1 and < 1.20.1
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions cou
8.3
HIGH
CVE-2024-10005
>= 1.4.1 and < 1.20.1
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions c
8.1
HIGH
CVE-2023-5332
< 0.9.4
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the
5.9
MEDIUM
CVE-2023-3518
all versions
HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of
7.4
HIGH
CVE-2023-2816
>= 1.15.0 and < 1.15.3
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaul
8.7
HIGH
CVE-2023-1297
>= 1.13.0 and < 1.14.7
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same nam
4.9
MEDIUM
CVE-2023-0845
< 1.14.5
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul
4.9
MEDIUM
CVE-2022-3920
>= 1.13.0 and <= 1.13.3
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP
5.3
MEDIUM
CVE-2022-40716
< 1.11.9
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the i
6.5
MEDIUM
CVE-2021-41803
>= 1.8.1 and < 1.11.9
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation
7.1
HIGH
CVE-2022-29153
< 1.9.17
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul clie
7.5
HIGH
CVE-2022-24687
>= 1.8.0 and < 1.9.15
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a
6.5
MEDIUM
CVE-2021-41805
>= 1.7.0 and < 1.8.17
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL toke
8.8
HIGH
CVE-2021-38698
< 1.8.15
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling
6.5
MEDIUM
CVE-2021-37219
< 1.8.15
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same
8.8
HIGH
CVE-2021-36213
>= 1.9.0 and < 1.9.8
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny
7.5
HIGH
CVE-2021-32574
>= 1.3.0 and < 1.8.14
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service id
7.5
HIGH
CVE-2021-28156
>= 1.8.0 and < 1.8.10
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.
7.5
HIGH
CVE-2020-25864
< 1.7.14
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed i
6.1
MEDIUM
CVE-2021-3121
< 1.8.15
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skip
8.6
HIGH
CVE-2020-28053
>= 1.2.0 and < 1.6.10
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect
6.5
MEDIUM
CVE-2020-25201
>= 1.7.0 and <= 1.8.4
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial
7.5
HIGH
CVE-2020-13250
>= 1.2.0 and < 1.6.6
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature tha
7.5
HIGH
CVE-2020-13170
>= 1.4.0 and < 1.6.6
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where
7.5
HIGH
CVE-2020-12797
>= 1.4.0 and < 1.6.6
HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary dat
5.3
MEDIUM
CVE-2020-12758
>= 1.6.0 and < 1.6.6
HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1
7.5
HIGH
CVE-2020-7955
>= 1.4.1 and < 1.6.2
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in p
5.3
MEDIUM
CVE-2020-7219
< 1.6.2
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to una
7.5
HIGH
CVE-2019-16377
<= 1.0.2
The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control.
9.8
CRITICAL
CVE-2019-12291
>= 1.4.0 and <= 1.5.0
HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching
7.5
HIGH
CVE-2019-9764
all versions
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behave
7.4
HIGH
CVE-2019-8336
>= 1.4.0 and < 1.4.3
HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the
8.1
HIGH
CVE-2018-19653
>= 0.5.1 and <= 1.4.0
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is imp
5.9
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin