Incorrect Access Control Affecting github.com/hashicorp/consul/acl package, versions >=1.4.0 <1.5.1


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.42% (62nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Access Control vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMHASHICORPCONSULACL-174929
  • published7 Jun 2019
  • disclosed22 May 2019
  • creditJack Pearkes

Introduced: 22 May 2019

CVE-2019-12291  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade github.com/hashicorp/consul/acl to version 1.5.1 or higher.

Overview

github.com/hashicorp/consul/acl is a library part of Hashicorp's Consul. Consul is a tool for service discovery and configuration.

Affected versions of this package are vulnerable to Incorrect Access Control. If a specific ACL rule is used for prefix matching in a policy, keys not matching that specific prefix can be deleted by a token using that policy with default deny settings configured.

CVSS Base Scores

version 3.1