x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-fhm8-cxcv-pwvc #1945

GoVulnBot · 2023-07-19T19:01:42Z

In GitHub Security Advisory GHSA-fhm8-cxcv-pwvc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/hashicorp/consul	1.4.3	>= 1.4, < 1.4.3

Cross references:

Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-6hw5-6gcx-phmw #559 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-ccw8-7688-vqx4 #593 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-q6h7-4qgw-2j9p #615 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent/structs: GHSA-hwqm-x785-qh8p #847 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent: GHSA-p2j5-3f4c-224r #859 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent/consul/discoverychain: GHSA-q2qr-3c2p-9235 #861 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-r9w6-rhh9-7v53 #874 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul/agent/config: GHSA-rqjq-mrgx-85hp #879 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-25gf-8qrr-g78r, CVE-2021-32574 #894 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: CVE-2021-36213, GHSA-8h2g-r292-j8xh #895 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: CVE-2022-24687, GHSA-hj93-5fg3-3chr #953 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-m69r-9g56-7mv8 #1029 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-gw2g-hhc9-wgjh #1121 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-wj6x-hcc2-f32j #1639 NOT_IMPORTABLE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-c57c-7hrj-6q6v #1827 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-rqjq-ww83-wv5c #1828 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-4qvx-qq5w-695p #1850 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-8xmx-h8rq-h94j #1851 EFFECTIVELY_PRIVATE
Module github.com/hashicorp/consul appears in issue x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-q7fx-wm2p-qfj8 #1853 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hashicorp/consul
      versions:
        - introduced: 1.4.0
          fixed: 1.4.3
      vulnerable_at: 1.4.2
      packages:
        - package: github.com/hashicorp/consul
summary: HashiCorp Consul Access Restriction Bypass
description: |-
    HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to
    bypass intended access restrictions and obtain the privileges of one other
    arbitrary token within secondary datacenters, because a token with literally
    "<hidden>" as its secret is used in unusual circumstances.
cves:
    - CVE-2019-8336
ghsas:
    - GHSA-fhm8-cxcv-pwvc
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2019-8336
    - report: https://github.com/hashicorp/consul/issues/5423
    - fix: https://github.com/hashicorp/consul/commit/90040f8bffb311e6cd8599273e95b607175e311f
    - web: https://github.com/hashicorp/consul/blob/003370ded024096cd89fb2aa2bc15293c23b9707/agent/consul/leader.go#L405
    - advisory: https://github.com/advisories/GHSA-fhm8-cxcv-pwvc

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-25T21:19:38Z

Change https://go.dev/cl/513195 mentions this issue: data/excluded: batch add 26 excluded reports

gopherbot · 2024-06-14T17:49:47Z

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

gopherbot · 2024-08-20T16:54:28Z

Change https://go.dev/cl/606788 mentions this issue: data/reports: unexclude 20 reports (8)

- data/reports/GO-2023-1912.yaml - data/reports/GO-2023-1915.yaml - data/reports/GO-2023-1919.yaml - data/reports/GO-2023-1922.yaml - data/reports/GO-2023-1924.yaml - data/reports/GO-2023-1925.yaml - data/reports/GO-2023-1927.yaml - data/reports/GO-2023-1928.yaml - data/reports/GO-2023-1931.yaml - data/reports/GO-2023-1932.yaml - data/reports/GO-2023-1936.yaml - data/reports/GO-2023-1938.yaml - data/reports/GO-2023-1939.yaml - data/reports/GO-2023-1940.yaml - data/reports/GO-2023-1942.yaml - data/reports/GO-2023-1945.yaml - data/reports/GO-2023-1946.yaml - data/reports/GO-2023-1948.yaml - data/reports/GO-2023-1950.yaml - data/reports/GO-2023-1952.yaml Updates #1912 Updates #1915 Updates #1919 Updates #1922 Updates #1924 Updates #1925 Updates #1927 Updates #1928 Updates #1931 Updates #1932 Updates #1936 Updates #1938 Updates #1939 Updates #1940 Updates #1942 Updates #1945 Updates #1946 Updates #1948 Updates #1950 Updates #1952 Change-Id: Id25f09c8f7270af68238752db96d6a399b91ef36 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606788 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>

neild self-assigned this Jul 25, 2023

neild added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jul 25, 2023

gopherbot closed this as completed in c30dc8f Jul 25, 2023

This was referenced Feb 1, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-496g-fr33-whrf #2501

Closed

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-6m72-467w-94rh #2505

Closed

GoVulnBot mentioned this issue Apr 3, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-hr3v-8cp3-68rf #2683

Closed

GoVulnBot mentioned this issue Apr 10, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-9rhf-q362-77mx #2704

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-fhm8-cxcv-pwvc #1945

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-fhm8-cxcv-pwvc #1945

GoVulnBot commented Jul 19, 2023

gopherbot commented Jul 25, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-fhm8-cxcv-pwvc #1945

x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-fhm8-cxcv-pwvc #1945

Comments

GoVulnBot commented Jul 19, 2023

gopherbot commented Jul 25, 2023

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024