CVE-2022-24687

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions HashiCorp Consul and Consul Enterprise versions 1.8.0 through 1.9.14 HashiCorp Consul and Consul Enterprise version 1.10.7 HashiCorp Consul and Consul Enterprise version 1.11.2

Description The issue allows a user with service:write permission to register a specifically-defined service that can cause Consul servers to panic and shutdown. This is due to uncontrolled resource consumption in clusters with at least one Ingress Gateway configured.

Recommendations For versions 1.8.0 through 1.9.14, update to version 1.9.15 or later. For version 1.10.7, update to version 1.10.8 or later. For version 1.11.2, update to version 1.11.3 or later. As a temporary workaround, consider restricting the service:write permission to minimize the risk of exploitation.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALT-PU-2022-1315

ALT-PU-2023-7106

ALT-PU-2024-8028

BIT-CONSUL-2022-24687

CVE-2022-24687

GHSA-HJ93-5FG3-3CHR

GO-2022-0953

Affected Products

Alt Linux

Hashicorp Consul Enterprise

Debian

Hashicorp Consul

Ingress Gateway

CVE-2022-24687

Weakness Enumeration

Related Identifiers

Affected Products

References · 18