Consul CVEs #1088
Replies: 1 comment 2 replies
-
|
My immediate reaction is to just send a PR to the crypt package. But the crypt package actually only relies on the API client, not the entire consul project and I guess the older client works fine with newer consul versions, so you shouldn't be affected by that CVE in my opinion. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Márk! Yes, agree. I even don't intend to use consul in my project. |
Beta Was this translation helpful? Give feedback.
-
|
Then you should absolutely be fine! If it's a dependency scan result issue, you can mark it as false positive. FYI etcd 3.5 will be out soon and with that we will update the crypt package as well. |
Beta Was this translation helpful? Give feedback.
-
Hi,
I am trying to use viper in my project, unfortunately it includes
https://github.com/bketelsen/crypt 0.3, the latter uses old consul v1.1.0 known vulnerable. Consul version should be 1.9.3 at least.
https://nvd.nist.gov/vuln/detail/CVE-2020-7219 and
https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations
Is it feasible to fix in this project?
Thanks,
Vlad
Beta Was this translation helpful? Give feedback.
All reactions