CVE-2019-19879: 
Homebrew vulnerability analysis and mitigation

HashiCorp Sentinel up to version 0.10.1 contained a vulnerability (CVE-2019-19879) where negations were not correctly parsed in certain policy expressions. This vulnerability was discovered and fixed in version 0.10.2, released in late June 2019. The issue affected all previous releases of Sentinel (HashiCorp Advisory).

The vulnerability existed in the Sentinel policy language parser where the 'not' predicate was being ignored in specific policy expressions involving relational operators (contains, in, and matches). When combined with higher precedence operators like arithmetic operators or 'else', the parser would incorrectly handle the negation, resulting in the opposite effect of what was intended. For example, an expression like 'foo else "foo" not in "foobar"' would be interpreted as 'foo else "foo" in "foobar"' (HashiCorp Advisory).

Policies containing expressions utilizing the incorrectly-parsed negation may not have had their intended effect, which could have security implications for systems relying on those policies. The specific impact would be highly environment-dependent, as it depends on how the affected policies were being used to enforce security controls (HashiCorp Advisory).

The primary mitigation is to upgrade to Sentinel runtime version 0.10.2 or higher. For enterprise products, this fix was included in Vault Enterprise 1.2.0, Terraform Enterprise v201907-1, Consul Enterprise 1.7.0, and Nomad Enterprise 0.10.1. If upgrading is not possible, users can rewrite affected policies using variables as intermediaries to avoid the parser issue. For example: 'foo = foo else "foo"' followed by 'main = foo not in "foobar"' (HashiCorp Advisory).