Описание
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
A flaw was found in the HashiCorp Consul package. In the affected versions of this package, a specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/acm-grafana-rhel8 | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odr-rhel8-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13. ...
HashiCorp Consul vulnerable to authorization bypass
EPSS
6.5 Medium
CVSS3