CVE-2022-3920: Missing Authorization

November 16, 2022 (updated November 18, 2022)

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering’s imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

References

discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946
nvd.nist.gov/vuln/detail/CVE-2022-3920

Detect and mitigate CVE-2022-3920 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →