Incorrect Access Control in HashiCorp Consul 1.4.0 through 1.5.0 Allows Unauthorized Key Deletion

Incorrect Access Control in HashiCorp Consul 1.4.0 through 1.5.0 Allows Unauthorized Key Deletion

CVE-2019-12291 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:P

HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

Learn more about our Web Application Penetration Testing UK.