Insufficient Server Input Validation - CWE-20

Hello Team,

We are using consul server 1.4.5 and got the following security finding, do we have any available to fix it

The application does not properly validate or sanitize user-controlled input, allowing potentially malicious characters to be returned in server responses. Depending on the insufficient input validation discovered, it can potentially lead to cross-site scripting attacks or other injection attacks like SQL injection. While it may not affect this application adversely, other applications that consume any services may be affected. Investigate the potential impact of this vulnerability.

And remediation recommendation is as follows

Input should be validated as strictly as possible on arrival, given the kind of content that it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized


Hi Suresh,

Can you give me more information on how this relates to Consul?

Hi Derek,

Thanks for your response on this,

Our security team has identified this issue with consul URL and they are asking to enable validation to queries we doing to consul URL.