1. CVE-Search
  2. CVE-2019-12291
ID CVE-2019-12291
Summary HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.
References
Vulnerable Configurations
  • cpe:2.3:a:hashicorp:consul:1.4.0:-:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.0:-:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.0:-:*:*:community:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.0:-:*:*:community:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.0:-:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.0:-:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.0:rc1:*:*:community:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.0:rc1:*:*:community:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.0:rc1:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.0:rc1:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.1:*:*:*:community:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.1:*:*:*:community:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.1:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.1:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.2:*:*:*:community:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.2:*:*:*:community:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.3:*:*:*:community:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.3:*:*:*:community:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.3:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.4:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.4:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.4.5:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.4.5:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:hashicorp:consul:1.5.0:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:P
refmap via4
confirm https://github.com/hashicorp/consul/issues/5888
Last major update 24-08-2020 - 17:37
Published 06-06-2019 - 17:29
Last modified 24-08-2020 - 17:37
Back to Top