Every CVE whose affected-product data names Hashicorp Consul, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (35)
CVE-2021-37219 — CVSS 8.8 (high): HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to…
CVE-2021-41805 — CVSS 8.8 (high): HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with…
CVE-2023-2816 — CVSS 8.7 (high): Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to…
CVE-2021-3121 — CVSS 8.6 (high): An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut…
CVE-2024-10006 — CVSS 8.3 (high): A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass…
CVE-2019-8336 — CVSS 8.1 (high): HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a client to bypass intended access restrictions and obtain the…
CVE-2024-10005 — CVSS 8.1 (high): A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could…
CVE-2021-28156 — CVSS 7.5 (high): HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and…
CVE-2021-32574 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in…
CVE-2021-36213 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action…
CVE-2019-12291 — CVSS 7.5 (high): HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a…
CVE-2022-29153 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent…
CVE-2020-12758 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0…
CVE-2020-13170 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where…
CVE-2020-13250 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was…
CVE-2020-25201 — CVSS 7.5 (high): HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of…
CVE-2020-7219 — CVSS 7.5 (high): HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to…
CVE-2023-3518 — CVSS 7.4 (high): HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service…
CVE-2019-9764 — CVSS 7.4 (high): HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if…
CVE-2021-41803 — CVSS 7.1 (high): HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage…
CVE-2025-11375 — CVSS 6.5 (medium): Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the…
CVE-2020-28053 — CVSS 6.5 (medium): HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA…
CVE-2021-38698 — CVSS 6.5 (medium): HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access…
CVE-2022-24687 — CVSS 6.5 (medium): HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user…
CVE-2022-40716 — CVSS 6.5 (medium): HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal…
CVE-2025-11374 — CVSS 6.5 (medium): Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length…
CVE-2020-25864 — CVSS 6.1 (medium): HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5…
CVE-2024-10086 — CVSS 6.1 (medium): A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP…
CVE-2023-5332 — CVSS 5.9 (medium): Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor…
CVE-2018-19653 — CVSS 5.9 (medium): HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly…
CVE-2020-7955 — CVSS 5.3 (medium): HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential…
CVE-2020-12797 — CVSS 5.3 (medium): HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data…
CVE-2022-3920 — CVSS 5.3 (medium): HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC…
CVE-2023-0845 — CVSS 4.9 (medium): Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server…
CVE-2023-1297 — CVSS 4.9 (medium): Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a…