Vulnerability Details : CVE-2020-13170
HashiCorp Consul and Consul Enterprise did not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4.
Vulnerability category: Input validation
Products affected by CVE-2020-13170
- cpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13170
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13170
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-13170
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13170
-
https://github.com/hashicorp/consul/pull/8068
CVE-2020-13170: Local ACL Token Used in Remote Datacenters by i0rek · Pull Request #8068 · hashicorp/consul · GitHubPatch;Third Party Advisory
-
https://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
consul/CHANGELOG.md at v1.6.6 · hashicorp/consul · GitHubRelease Notes;Third Party Advisory
-
https://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md
consul/CHANGELOG.md at v1.7.4 · hashicorp/consul · GitHubRelease Notes;Third Party Advisory
Jump to