CVE-2022-3920

HIGH7.5EPSS 0.41%

Consul Peering Imported Nodes/Services Leak

Published: 11/16/2022Modified: 5/20/2025

Also known as:GHSA-gw2g-hhc9-wgjhBIT-consul-2022-3920GO-2022-1121

Description

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

Affected packages (3)

Bitnami/consul>= 1.13.0, < 1.13.4
Go/github.com/hashicorp/consul>= 1.13.0, < 1.14.0
Go/github.com/hashicorp/consul>= 1.13.0, < 1.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://github.com/advisories/GHSA-gw2g-hhc9-wgjh
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-3920
WEBhttps://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946
WEBhttps://github.com/hashicorp/consul/commit/706866fa0016b0aa302679f9c648859050d19b2e