HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. Upstream issue: https://github.com/hashicorp/consul/issues/7160
Created consul tracking bugs for this issue: Affects: epel-6 [bug 1805876] Affects: fedora-30 [bug 1805877]
Whilst OpenShift ServiceMesh does package consul, it is not a vulnerable version (packages v1.1.0 and v1.3.0). The vulnerable HTTP API endpoint (v1/agent/health/service/*) was only added in releases of consul starting from v1.4.1. Ref commit which includes the API endpoint: https://github.com/hashicorp/consul/commit/4f62a3b5285cef13f25d162f267b678e3b5c0d8e
External References: https://github.com/hashicorp/consul/issues/7160
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7955