What is CVE-2022-3920?

CVE-2022-3920 is a medium-severity vulnerability in Hashicorp Consul, classified under Missing Authorization. CVSS score: 5.3/10. Published 2022-11-15.

How severe is CVE-2022-3920?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Auth bypass in Hashicorp Consul

CVE-2022-3920

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

Vulnerability class: Broken Access Control

EPSS: 0.004 (61.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Hashicorp Consul — versions 1.13.0, 1.13.1, 1.13.2
Hashicorp Consul Enterprise — versions 1.13.0, 1.13.1, 1.13.2

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nod…

Frequently asked questions

What is CVE-2022-3920?: CVE-2022-3920 is a medium-severity vulnerability in Hashicorp Consul, classified under Missing Authorization. CVSS score: 5.3/10. Published 2022-11-15.
How severe is CVE-2022-3920?: Medium severity. CVSS v3 base score is 5.3 out of 10.