CVE-2022-3920: Consul Peering Imported Nodes/Services Leak
First published: Tue Nov 15 2022(Updated: )
HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.
Credit: security@hashicorp.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Consul | >=1.13.0<=1.13.3 | |
| HashiCorp Consul | >=1.13.0<=1.13.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-3920.
What is the severity of CVE-2022-3920?
The severity of CVE-2022-3920 is high with a CVSS score of 7.5.
Which software versions are affected by CVE-2022-3920?
HashiCorp Consul and Consul Enterprise versions 1.13.0 up to 1.13.3 are affected by CVE-2022-3920.
How does CVE-2022-3920 affect HashiCorp Consul and Consul Enterprise?
CVE-2022-3920 allows imported nodes and services to be exposed without proper filtering in the UI of HashiCorp Consul and Consul Enterprise versions 1.13.0 up to 1.13.3.
How can I fix CVE-2022-3920?
To fix CVE-2022-3920, update your HashiCorp Consul or Consul Enterprise installation to version 1.14.0 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/last-modified-date
- agent/references
- agent/severity
- agent/tags
- agent/description
- agent/weakness
- agent/event
- agent/first-publish-date
- vendor/hashicorp
- canonical/hashicorp consul
- version/hashicorp consul/1.13.0
- version/hashicorp consul/1.13.3