HCSEC-2021-07 - Consul API KV Endpoint Vulnerable to Cross-Site Scripting

Bulletin ID: HCSEC-2021-07
Affected Products / Versions: Consul and Consul Enterprise through 1.9.4; fixed in 1.9.5, 1.8.10 and 1.7.14.
Publication Date: 19 April, 2021

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that a specially crafted key-value entry could be used to perform a cross-site scripting (XSS) attack when viewed in Consul KV API’s raw mode. This vulnerability, CVE-2020-25864, affects all Consul versions up to 1.9.4, and is fixed in the 1.9.5, 1.8.10 and 1.7.14 releases.

Consul provides a key-value store (“KV”) that allows storage of indexed objects, typically configuration parameters and metadata. The KV API has an optional raw mode where a KV-indexed object may be served without a JSON wrapper.

It was discovered that the Consul KV API was vulnerable to cross-site scripting when called with the raw parameter. There are various means by which cross-site scripting vulnerabilities may be used to target a Consul service or the environment/users within which it is situated.

Customers should evaluate the risk associated with this issue and consider upgrading to Consul 1.9.5, 1.8.10, 1.7.14, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the HashiCorp product security team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.