CVE-2019-12291 : HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

Published 2019-06-06 17:29:00

Updated 2020-08-24 17:37:01

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2019-12291

Probability of exploitation activity in the next 30 days: 0.08%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 35 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-12291

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

References for CVE-2019-12291

https://github.com/hashicorp/consul/issues/5888

CVE-2019-12291: Unauthorized Key/Value Deletion · Issue #5888 · hashicorp/consul · GitHub
Mitigation;Issue Tracking;Patch;Third Party Advisory

Products affected by CVE-2019-12291

Hashicorp » Consul
Versions from including (>=) 1.4.0 and up to, including, (<=) 1.5.0
cpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2019-12291

Exploit prediction scoring system (EPSS) score for CVE-2019-12291

CVSS scores for CVE-2019-12291

References for CVE-2019-12291

Products affected by CVE-2019-12291