Service Registration Vulnerability in HashiCorp Consul and Consul Enterprise
CVE-2022-24687

6.5MEDIUM

Key Information:

Vendor

Hashicorp
Status
Consul
Vendor
CVE Published:
24 February 2022

What is CVE-2022-24687?

A vulnerability exists in HashiCorp Consul and Consul Enterprise versions 1.9.0 through 1.9.14, 1.10.7, and 1.11.2, affecting clusters with at least one Ingress Gateway. A user with 'service:write' permissions can register a specifically defined service that may lead to a panic condition on the Consul servers, potentially causing them to shut down unexpectedly. This issue is addressed in versions 1.9.15, 1.10.8, and 1.11.3.

References

https://discuss.hashicorp.com
x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingr...
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220331-0006/
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.