Privilege Escalation Affecting github.com/hashicorp/consul/agent/structs package, versions >=1.6.0-beta1 <1.6.6 >=1.7.0 <1.7.4
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMHASHICORPCONSULAGENTSTRUCTS-572116
- published 12 Jun 2020
- disclosed 12 Jun 2020
- credit Unknown
Introduced: 12 Jun 2020
CVE-2020-13170 Open this link in a new tabHow to fix?
Upgrade github.com/hashicorp/consul/agent/structs to version 1.6.6, 1.7.4 or higher.
Overview
github.com/hashicorp/consul/agent/structs is a tool for service discovery and configuration.
Affected versions of this package are vulnerable to Privilege Escalation. Consul has two types of tokens, Global and Local. Local tokens are meant to only be resolvable and used within a single datacenter. Creation of local tokens is only allowed if either token replication is enabled in a secondary datacenter, or if the datacenter the token is scoped to is the primary. In a typical cluster we expect that either token replication is on in all datacenters or local tokens are not used at all.
When token replication is not enabled in a secondary datacenter, attempts to use a local token created in the primary are successful for operations targeting that secondary datacenter. Thus what was meant to be scoped to a single datacenter is valid in other datacenters.