OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
products / consul

HashiCorp Consul

HashiCorp Consul provides service discovery, health checking, and Connect service mesh capabilities for multi-cloud and Kubernetes environments. It is often deployed alongside HashiCorp Vault in platform engineering stacks. NVD tracks it as hashicorp:consul with semver-style version ranges.

api usage

Querying Consul

product slugconsul
version format1.20.0, 1.16.0, 1.14.0
bash
curl "https://api.attestd.io/v1/check?product=consul&version=1.16.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Consul 1.16.0 is affected by CVE-2023-3518 (denial of service via malicious HTTP/2 stream handling). The aggregated response expects risk_state: "high".

json
{
  "product": "consul",
  "version": "1.16.0",
  "supported": true,
  "risk_state": "high",
  "risk_factors": [
    "denial_of_service",
    "internet_exposed_service",
    "no_authentication_required",
    "patch_available"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.16.1",
  "confidence": 0.87,
  "cve_ids": ["CVE-2023-3518"],
  "last_updated": "2026-05-22T00:00:00Z"
}
safe version

Consul 1.20.0 is used as a patched-line example; confirm with live /v1/check after ingestion.

bash
curl "https://api.attestd.io/v1/check?product=consul&version=1.20.0" \
  -H "Authorization: Bearer $ATTESTD_KEY"
notable cves

CVE history

Consul CVE history spans ACL token handling, Connect sidecar proxy configuration, RPC and HTTP API parsing, and gossip protocol edge cases. Exposed Consul servers on WAN or public interfaces carry high blast radius for unauthenticated remote issues.

CVEDescriptionAffectsCVSS
CVE-2023-3518Denial of service via malicious HTTP/2 stream handling on Consul API endpoints.1.16.07.5
CVE-2021-41803Missing input validation of node/segment names in auto config RPC JWT claim assertions allows information disclosure and denial of service.1.8.1 to 1.13.17.1
CVE-2020-25864Cross-site scripting (XSS) in the key-value store API raw mode endpoint, allowing script injection via crafted key names.< 1.9.56.1
CVE-2020-12797Denial of service via malformed gossip protocol packets to Consul agents.< 1.6.67.5
CVE-2018-19653Cleartext agent-to-agent RPC communication due to misleading verify_outgoing documentation; agents may transmit sensitive data unencrypted.0.5.1 to 1.4.05.9
CVE-2022-29153Server-side request forgery when the Consul client agent follows HTTP 301/302 redirects returned by HTTP health check endpoints.< 1.9.17 / 1.10.10 / 1.11.57.5
related
All productsHashiCorp VaultIstioResponse Field Reference