Vulnerability Description
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Consul | < 1.11.9 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.comVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypaVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://discuss.hashicorp.comVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypaVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2022-40716?
CVE-2022-40716 is a vulnerability with a CVSS score of 6.5 (MEDIUM). HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass...
How severe is CVE-2022-40716?
CVE-2022-40716 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-40716?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.