CVE-2022-40716

Name
CVE-2022-40716
Description
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
MISC https://discuss.hashicorp.com
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* consul >= None < 1.11.9
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* consul >= 1.12.0 < 1.12.5
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* consul >= 1.13.0 < 1.13.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status