CVE-2023-0845

Name of the Vulnerable Software and Affected Versions Consul versions prior to 1.14.5 Consul Enterprise versions prior to 1.14.5

Description The issue is related to an authenticated user with service:write permissions triggering a workflow that causes the Consul server and client agents to crash under certain circumstances. To exploit this, an attacker requires access to an ACL token with service:write permissions and at least one running ingress or API gateway configured to route traffic to an upstream service. The vulnerability is also associated with pointer dereference errors.

Recommendations For Consul versions prior to 1.14.5, update to Consul 1.14.5 to resolve the issue. For Consul Enterprise versions prior to 1.14.5, update to Consul Enterprise 1.14.5 to resolve the issue. As a temporary workaround, consider restricting access to service:write permissions to minimize the risk of exploitation. Restrict access to ingress or API gateways that are configured to route traffic to an upstream service until the issue is resolved.