From debbf4a604c92f8784e26aff0b517b9519e67d6c Mon Sep 17 00:00:00 2001 From: Kent 'picat' Gruber Date: Wed, 14 Apr 2021 16:36:40 -0400 Subject: [PATCH] Add better security warning to docs about the content-type change --- website/content/api-docs/kv.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/content/api-docs/kv.mdx b/website/content/api-docs/kv.mdx index 2dfc0931b..60a75d8f2 100644 --- a/website/content/api-docs/kv.mdx +++ b/website/content/api-docs/kv.mdx @@ -145,6 +145,10 @@ is instead `text/plain`. (Yes, that is intentionally a bunch of gibberish characters to showcase the response) +!> **Warning:** Consul versions before 1.9.5, 1.8.10 and 1.7.14 detected the content-type +of the raw KV data which could be used for cross-site scripting (XSS) attacks. This is +identified publicly as CVE-2020-25864. + ## Create/Update Key This endpoint updates the value of the specified key. If no key exists at the given