GHSA-m69r-9g56-7mv8: HashiCorp Consul vulnerable to authorization bypass

HashiCorp Consul vulnerable to authorization bypass

Moderate severity GitHub Reviewed Published Sep 25, 2022 • Updated Sep 29, 2022

Package

gomod github.com/hashicorp/consul (Go)

Affected versions

< 1.11.9

>= 1.12.0, < 1.12.5

>= 1.13.0, < 1.13.2

Patched versions

1.11.9

1.12.5

1.13.2

Description

HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-40716
• https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628

Severity

Moderate

6.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Weaknesses

CWE-252

CVE ID

CVE-2022-40716

GHSA ID

GHSA-m69r-9g56-7mv8

Source code

hashicorp/consul

Checking history

See something to contribute? Suggest improvements for this vulnerability.