Source: consul X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for consul. CVE-2021-37219[0]: | HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows | non-server agents with a valid certificate signed by the same CA to | access server-only functionality, enabling privilege escalation. Fixed | in 1.8.15, 1.9.9 and 1.10.2. https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024 CVE-2021-38698[1]: | HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint | allowed services to register proxies for other services, enabling | access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026 https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d (v1.8.15) CVE-2022-29153[2]: | HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF. https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37219 [1] https://security-tracker.debian.org/tracker/CVE-2021-38698 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38698 [2] https://security-tracker.debian.org/tracker/CVE-2022-29153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29153 Please adjust the affected versions in the BTS as needed.