A specially crafted KV entry could be used to perform a XSS attack when viewed in the raw mode. Upstream Reference: https://github.com/hashicorp/consul/pull/10023
I'm changing the flaw severity from Important to Moderate because this vulnerability doesn't classify for higher severity than Moderate.
External References: https://github.com/hashicorp/consul/pull/10023
Successful exploit requires a specially crafted entry in KV Consul store (key/value store) and when viewed in RAW mode could be used to perform a XSS attack. This requires from potential attacker some knowledge about the environment. This should be considered as Moderate impact flaw.
Statement: OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) components ship only consul api which could be used for connection to consul service mesh solution, therefore are not affected by this flaw. Some OpenShift Virtualization components reference consul in go.sum files, however none of the projects or container images depend on or ship consul, therefore are not affected by this flaw.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25864