ALT-PU-2023-1696-2

Package consul updated to version 1.15.2-alt1 for branch sisyphus in task 319710.

Уязвимость инструмента настройки сервисов Consul и Consul Enterprise, связанная с ошибками разыменования указателей, позволяющая нарушителю вызвать аварийное завершение работы приложения

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: MEDIUM (6.1)Vector: AV:N/AC:L/Au:M/C:N/I:N/A:C

References:

CVE-2023-0845

Уязвимость компонента Name Handler инструмента настройки сервисов Consul и Consul Enterprise, позволяющая нарушителю получить доступ к потенциально конфиденциальной информации

Severity: HIGH (7.1)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Severity: HIGH (7.5)Vector: AV:N/AC:L/Au:S/C:P/I:N/A:C

References:

CVE-2021-41803

Уязвимость инструмента настройки сервисов Consul и Consul Enterprise, связанная с недостаточной проверкой запросов на стороне сервера, позволяющая нарушителю осуществить атаку SSRF

Severity: HIGH (7.5)Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: HIGH (7.8)Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N

References:

CVE-2022-29153

Уязвимость инструмента настройки сервисов Consul и Consul Enterprise, связанная с непроверенным возвращенным значением, позволяющая нарушителю обойти внедренные ограничения безопасности

Severity: MEDIUM (6.5)Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: MEDIUM (6.8)Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N

References:

CVE-2022-40716

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

Severity: HIGH (7.1)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

References:

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

Severity: MEDIUM (5.0)Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Consul and Consul Enterprise allowed an authenticated user with service:write permissions to trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability was fixed in Consul 1.14.5.

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions

Severity: HIGH (7.1)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

References:

HashiCorp Consul vulnerable to authorization bypass

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References:

Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector

Severity: HIGH (7.5)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

Consul Server Panic when Ingress and API Gateways Configured with Peering Connections

Severity: MEDIUM (6.5)Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References:

Version: 2.1.2

Package consul update in sisyphus on 2023-05-02

ALT-PU-2023-1696-2

Closed vulnerabilities

BDU:2023-01973

BDU:2025-04574

BDU:2025-04575

BDU:2025-08591

CVE-2021-41803

CVE-2022-29153

CVE-2022-40716

CVE-2023-0845

GHSA-hr3v-8cp3-68rf

GHSA-m69r-9g56-7mv8

GHSA-q6h7-4qgw-2j9p

GHSA-wj6x-hcc2-f32j