CVE-2022-3920 Consul and Consul Enterprise 1.13.0 to 1.13.3 do not filter out nodes and services that are used for the UI.

You can work around this issue by using static endpoints or interface aliases. You can also use Consul's filtering rules to whitelist specific endpoints or services. For more information, see the Consul documentation on filtering endpoints. HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI.

Fixed in 1.14.0. You can work around this issue by using static endpoints or interface aliases. You can also use Consul's filtering rules to whitelist specific endpoints or services. For more information, see the Consul documentation on filtering endpoints. HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI.

Fixed in 1.14.0. You can work around this issue by using static endpoints or interface aliases. You can also use Consul's filtering rules to whitelist specific endpoints or services. For more information, see the Consul documentation on filtering endpoints. HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI.

Fixed in 1.14.0. You can work

Consul Enterprise 1.14.0

Fixed in 1.14.0. You can work around this issue by using static endpoints or interface aliases. You can also use Consul's filtering rules to whitelist specific endpoints or services. For more information, see the Consul documentation on filtering endpoints. HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI.

Fixed in 1.14.0

What is this guide cover?

This guide covers the following topics:
- How to use the UI
- What it looks like when you start your project
- Walkthrough of how to create a service, inject variables, and configure services
- Using the UI as a Webhook receiver
- Using the UI as a Proxy server

Timeline

Published on: 11/16/2022 00:15:00 UTC
Last modified on: 11/18/2022 20:21:00 UTC

References