Fluid Attacks Database

Description

HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2 has Uncontrolled Resource Consumption. Clusters with at least one ingress gateway configured may allow a user with service:write permission to register a specifically-defined service that can cause the Consul server to panic and shutdown. Versions 1.9.15, 1.10.8, and 1.11.3 contain patches for the problem.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	consul	=1.10.12+dfsg1-1 \|\| =1.8.7+dfsg1-2 \|\| =1.8.7+dfsg1-3 \|\| =1.8.7+dfsg1-4 \|\| =1.8.7+dfsg1-5 \|\| =1.8.7+dfsg1-6 \|\| =1.9.17+dfsg2-1	-
go	github.com/hashicorp/consul	>=1.8.0 <1.9.15 \|\| >=1.10.0 <1.10.8 \|\| >=1.11.0 <1.11.3	1.9.15, 1.10.8, 1.11.3

Aliases

1. CVE-2022-246872. NVD-2022-246873. OSV-DEBIAN-2022-246874. OSV-2022-246875. GCVE-2022-246876. SECURITY-TRACKER-CVE-2022-246877. security.gentoo.org

References

1. https://discuss.hashicorp.com2. https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers3. https://security.netapp.com/advisory/ntap-20220331-0006