Service Mesh Intention Bypass in HashiCorp Consul and Consul Enterprise
CVE-2022-40716

6.5MEDIUM

Key Information:

Vendor

Hashicorp
Status
Consul
Vendor
CVE Published:
23 September 2022

What is CVE-2022-40716?

HashiCorp Consul and Consul Enterprise versions up to 1.11.8, 1.12.4, and 1.13.1 are affected by a vulnerability that allows attackers to leverage privileged access to bypass service mesh intentions. This occurs due to the lack of validation for multiple Subject Alternative Name (SAN) URI values in Certificate Signing Requests (CSRs) on the internal RPC endpoint. The issue has been addressed in subsequent releases, specifically versions 1.11.9, 1.12.5, and 1.13.2, reinforcing the importance of timely software updates to mitigate such security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-20-consul-serv...
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.