Consul Server Panic when Ingress and API Gateways Configured with Peering
CVE-2023-0845

6.5MEDIUM

Key Information:

Vendor
HashiCorp
Status
Consul
Consul Enterprise
Vendor
CVE Published:
9 March 2023

Summary

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

Affected Version(s)

Consul 64 bit 1.14.0

Consul 64 bit 1.14.1

Consul 64 bit 1.14.2

References

https://discuss.hashicorp.com/t/hcsec-2023-06-consul-serv...
https://lists.fedoraproject.org/archives/list/package-ann...
https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.