{"id":"CVE-2019-12291","details":"HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.","aliases":["GHSA-h65h-v7fw-4p38","GO-2023-1852"],"modified":"2026-03-14T04:42:55.898013Z","published":"2019-06-06T17:29:00.353Z","references":[{"type":"FIX","url":"https://github.com/hashicorp/consul/issues/5888"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/consul","events":[{"introduced":"0bddfa23a2ebe3c0773d917fc104f53d74f7a5ec"},{"last_affected":"34eff659dcc5503b6eb117733c9f7def63f01bad"}],"database_specific":{"versions":[{"introduced":"1.4.0"},{"last_affected":"1.5.0"}]}}],"versions":["api/v1.0.0","api/v1.0.1","api/v1.1.0","internal/v0.1.0","sdk/v0.1.0","sdk/v0.1.1","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12291.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}