AIKIDO-2025-10664
github.com/hashicorp/consul is vulnerable to Incorrect Permission Assignment for Critical Resource
23
Low Risk
This Affects:
github.com/hashicorp/consulTL;DR
Affected versions of this package are vulnerable to Information Exposure via an improper access control flaw in the Consul agent. If the attacker gains the ability to read an arbitrary file from the Consul agent's filesystem, using the group ID that the Consul agent runs as, they could access the agent's TLS certificate and private key. This would allow them to impersonate the Consul agent and attack the cluster. The patch edited the permissions of the files to 0600.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/hashicorp/consul is vulnerable to Incorrect Permission Assignment for Critical Resource in versions 1.0.0 - 1.21.4.
How to fix this
Upgrade the github.com/hashicorp/consul library to the patch version or explicitly set the read/write permissions at agent/auto-config/persist.go to 0600.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant