Commit Graph

7 Commits

Author SHA1 Message Date
Freddy 5137e4501d Require operator:write to get Connect CA config (#9240)
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.

--

This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
2020-11-19 17:15:17 +00:00
Matt Keeler 8f890bc027
Add capability for the v1/connect/ca/roots endpoint to return a PEM encoded certificate chain (#8774)
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2020-10-09 10:43:33 -04:00
Jeff Escalante 326ec30d68 update dependencies 2020-05-21 14:50:45 -04:00
Jeff Escalante a8a3c76983
remove 'sidebar_current' from frontmatter 2020-04-28 12:53:24 -04:00
Jeff Escalante 2bfa64f903
replace internal .html link extensions 2020-04-28 12:53:20 -04:00
Jeff Escalante 9cd0b95f24
remove internal /index.html 2020-04-28 12:53:20 -04:00
Jeff Escalante 6bd1a51413
intro and api navigation converted 2020-04-28 12:52:44 -04:00