CVE-2023-1297 — Premature Release of Resource During Expected Lifetime in Hashicorp Consul

CWE-826 — Premature Release of Resource During Expected Lifetime6 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Consul Hashicorp Consul Hashicorp Consul Enterprise +1 more

Timeline

PublishedJun 2

Latest updateAug 20

Description

Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5hashicorp/consul_enterprise1.14.0 — 1.14.5+1

▶NVDhashicorp/consul1.13.0 — 1.14.7+1

▶Gogithub.com/hashicorp_consul1.15.0 — 1.15.3+1

▶CVEListV5hashicorp/consul1.14.0 — 1.14.5+1

▶debiandebian/consul

🔴Vulnerability Details

OSV

Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul↗2024-08-20

▶

OSV

Hashicorp Consul vulnerable to denial of service↗2023-06-03

▶

GHSA

Hashicorp Consul vulnerable to denial of service↗2023-06-03

▶

OSV

CVE-2023-1297: Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service↗2023-06-02

▶

📋Vendor Advisories

Debian

CVE-2023-1297: consul - Consul and Consul Enterprise's cluster peering implementation contained a flaw w...↗2023

▶