CVE-2020-13250
HIGH7.5EPSS 0.87%Allocation of Resources Without Limits or Throttling in Hashicorp Consul in github.com/hashicorp/consul
Published: 5/18/2021Modified: 4/28/2026
Description
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.
Affected packages (4)
- Bitnami/consul>= 1.2.0, < 1.6.6, >= 1.7.0, < 1.7.4
- Debian/consulfrom 0, < 1.7.4+dfsg1-1
- Go/github.com/hashicorp/consul>= 1.2.0, < 1.6.6
- Go/github.com/hashicorp/consul>= 1.2.0, < 1.6.6, >= 1.7.0, < 1.7.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-rqjq-mrgx-85hp
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13250
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-13250
- WEBhttps://github.com/hashicorp/consul/blob/v1.6.6/CHANGELOG.md
- WEBhttps://github.com/hashicorp/consul/blob/v1.7.4/CHANGELOG.md
- WEBhttps://github.com/hashicorp/consul/commit/72f92ae7ca4cabc1dc3069362a9b64ef46941432
- WEBhttps://github.com/hashicorp/consul/pull/8023