CVE-2019-9764
First published: Tue Mar 26 2019(Updated: )
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Consul | =1.4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-9764?
CVE-2019-9764 is a vulnerability in HashiCorp Consul 1.4.3 that allows for agent-to-agent TLS communication without proper server hostname verification.
How does the vulnerability in HashiCorp Consul 1.4.3 affect me?
The vulnerability in HashiCorp Consul 1.4.3 allows for potential man-in-the-middle attacks due to the lack of server hostname verification for agent-to-agent TLS communication.
What is the severity of CVE-2019-9764?
CVE-2019-9764 has a severity rating of 7.4 (high).
How can I fix the vulnerability in HashiCorp Consul 1.4.3?
To fix the vulnerability in HashiCorp Consul 1.4.3, you should update to version 1.4.4 or later, which provides the necessary server hostname verification for agent-to-agent TLS communication.
Where can I find more information about CVE-2019-9764?
You can find more information about CVE-2019-9764 on the official GitHub page of HashiCorp Consul: https://github.com/hashicorp/consul/issues/5519
- collector/nvd-index
- agent/severity
- agent/references
- agent/tags
- agent/type
- agent/event
- agent/weakness
- agent/author
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/hashicorp
- canonical/hashicorp consul
- version/hashicorp consul/1.4.3