6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
33.0%
github.com/hashicorp/consul is vulnerable to authentication bypass. The vulnerability exists in auto_config_endpoint.go
and leader_connect_ca.go
because the URI length checks are not added to CSR requests which allows an attacker to designate multiple SAN URI values in a call to the endpoint.
discuss.hashicorp.com
discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
github.com/advisories/GHSA-m69r-9g56-7mv8
github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b
github.com/hashicorp/consul/commit/91d1d6fb43d2cd00bfa78654626b6ee94c801557
github.com/hashicorp/consul/commit/d1c6b87eb21911f19f5d691b603635da178d9ce0
github.com/hashicorp/consul/pull/14585
github.com/hashicorp/consul/pull/14590
github.com/hashicorp/consul/pull/14591
github.com/hashicorp/consul/releases/tag/v1.11.9
github.com/hashicorp/consul/releases/tag/v1.12.5
github.com/hashicorp/consul/releases/tag/v1.13.2
lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
33.0%