[pkg-go] Bug#1015218: consul: CVE-2021-37219 CVE-2021-38698 CVE-2022-29153
Moritz Mühlenhoff
jmm at inutil.org
Sun Jul 17 21:00:06 BST 2022
Source: consul
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for consul.
CVE-2021-37219[0]:
| HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows
| non-server agents with a valid certificate signed by the same CA to
| access server-only functionality, enabling privilege escalation. Fixed
| in 1.8.15, 1.9.9 and 1.10.2.
https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
CVE-2021-38698[1]:
| HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint
| allowed services to register proxies for other services, enabling
| access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d (v1.8.15)
CVE-2022-29153[2]:
| HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF.
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-37219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37219
[1] https://security-tracker.debian.org/tracker/CVE-2021-38698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38698
[2] https://security-tracker.debian.org/tracker/CVE-2022-29153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29153
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-go-maintainers
mailing list