CVE-2023-0845
published 2023-03-09CVE-2023-0845: Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.00%
58.6th percentile
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| github.com | hashicorp_consul | >= 1.14.0 < 1.14.5 | 1.14.5 |
| hashicorp | consul | < 1.14.5 | 1.14.5 |
| hashicorp | consul | — | — |
| hashicorp | consul | — | — |
| hashicorp | consul | — | — |
| hashicorp | consul | — | — |
| hashicorp | consul | — | — |
| hashicorp | consul_enterprise | — | — |
| hashicorp | consul_enterprise | — | — |
| hashicorp | consul_enterprise | — | — |
| hashicorp | consul_enterprise | — | — |
| hashicorp | consul_enterprise | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian4.9LOW
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
hashicorp/consul: Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
vendor_redhat·2023-03-09·CVSS 4.9
CVE-2023-0845 [MEDIUM] CWE-476 hashicorp/consul: Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
hashicorp/consul: Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.
A flaw was found in the HashiCorp Consul. This flaw allows an authenticated user with service:write permissions to trigger a workflow that causes the Consul server and client agents to crash under certain circumstances.
Package: openshift-logging/logging-loki-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: rhacm2/acm-grafana-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: openshift4/ose
Debian
CVE-2023-0845: consul - Consul and Consul Enterprise allowed an authenticated user with service:write pe...
vendor_debian·2023·CVSS 4.9
CVE-2023-0845 [MEDIUM] CVE-2023-0845: consul - Consul and Consul Enterprise allowed an authenticated user with service:write pe...
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.
Scope: local
bullseye: resolved
OSV
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections in github.com/hashicorp/consul
osv·2024-08-20
CVE-2023-0845 Consul Server Panic when Ingress and API Gateways Configured with Peering Connections in github.com/hashicorp/consul
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections in github.com/hashicorp/consul
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections in github.com/hashicorp/consul
OSV
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
osv·2023-03-09
CVE-2023-0845 [MEDIUM] Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service.
GHSA
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
ghsa·2023-03-09
CVE-2023-0845 [MEDIUM] CWE-476 Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service.
OSV
CVE-2023-0845: Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client a
osv·2023-03-09·CVSS 6.5
CVE-2023-0845 [MEDIUM] CVE-2023-0845: Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client a
Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/https://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/51197https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/https://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
2023-03-09
Published