Service Mesh Intention Bypass in HashiCorp Consul and Consul Enterprise
CVE-2022-40716

6.5MEDIUM

Key Information:

Vendor: Hashicorp
Status: Consul
Vendor: CVE Published:; 23 September 2022

Summary

HashiCorp Consul and Consul Enterprise versions up to 1.11.8, 1.12.4, and 1.13.1 are affected by a vulnerability that allows attackers to leverage privileged access to bypass service mesh intentions. This occurs due to the lack of validation for multiple Subject Alternative Name (SAN) URI values in Certificate Signing Requests (CSRs) on the internal RPC endpoint. The issue has been addressed in subsequent releases, specifically versions 1.11.9, 1.12.5, and 1.13.2, reinforcing the importance of timely software updates to mitigate such security risks.

References

https://discuss.hashicorp.com

https://discuss.hashicorp.com/t/hcsec-2022-20-consul-serv...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 23, 2022
Vulnerability Reserved
Sep 14, 2022