Vulnerability Details : CVE-2020-13170
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2020-13170
Probability of exploitation activity in the next 30 days: 0.10%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 41 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-13170
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-13170
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13170
-
https://github.com/hashicorp/consul/pull/8068
CVE-2020-13170: Local ACL Token Used in Remote Datacenters by i0rek · Pull Request #8068 · hashicorp/consul · GitHubPatch;Third Party Advisory
-
https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
consul/CHANGELOG.md at v1.6.6 · hashicorp/consul · GitHubRelease Notes;Third Party Advisory
-
https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md
consul/CHANGELOG.md at v1.7.4 · hashicorp/consul · GitHubRelease Notes;Third Party Advisory
Products affected by CVE-2020-13170
- cpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:*