CVE-2022-3920 — Missing Authorization in Hashicorp Consul

CWE-862 — Missing Authorization7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Consul Hashicorp Consul Hashicorp Consul Enterprise +1 more

Timeline

PublishedNov 16

Latest updateAug 21

Description

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5hashicorp/consul_enterprise4 versions+3

▶Gogithub.com/hashicorp_consul1.13.0 — 1.14.0

▶NVDhashicorp/consul1.13.0 — 1.13.3

▶CVEListV5hashicorp/consul4 versions+3

▶debiandebian/consul

🔴Vulnerability Details

OSV

Missing Authorization in HashiCorp Consul in github.com/hashicorp/consul↗2024-08-21

▶

OSV

Missing Authorization in HashiCorp Consul↗2022-11-16

▶

OSV

CVE-2022-3920: HashiCorp Consul and Consul Enterprise 1↗2022-11-16

▶

GHSA

Missing Authorization in HashiCorp Consul↗2022-11-16

▶

📋Vendor Advisories

Red Hat

consul: Consul Cluster Peering Leaks Imported Nodes/Services Information↗2022-11-15

▶

Debian

CVE-2022-3920: consul - HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster...↗2022

▶