Improper access control in consul

#VU21292 Improper access control in consul

Published: 2019-09-24 | Updated: 2019-09-24

Vulnerability identifier: #VU21292

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-16377

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
consul
Universal components / Libraries / Scripting languages

Vendor: makandra

Description

The vulnerability allows a remote attacker to gain unauthorized access to certain controller actions.

The vulnerability exists in the consul gem for Ruby on Rails when processing multiple power directives. As a result, the ":only" and ":except" options of the last directive apply to all previous directives. A remote attacker can gain unauthenticated access to certain controller actions.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

consul: 0.1.0 - 1.0.2

External links
http://github.com/makandra/consul/issues/49
http://rubygems.org/gems/consul

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper access control in makandra consul