logo

Database

Asymmetric denial of service In github.com/hashicorp/consul

Description

Consul Server Panic when Ingress and API Gateways Configured with Peering Connections A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-08452. NVD-2023-08453. OSV-2023-08454. GCVE-2023-0845

References

1. https://discuss.hashicorp.com/t/hcsec-2023-06-consul-server-panic-when-ingress-and-api-gateways-configured-with-peering-connections/511972. https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC3. https://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE4. https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.