CVE-2022-3920

MEDIUM

HashiCorp Consul 1.13.0-1.13.3 - Unauthenticated Information Disclosure via UI Endpoints

Title source: llm

Description

HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946

Scores

CVSS v3 5.3

EPSS 0.0048

EPSS Percentile 65.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

hashicorp/consul 1.13.0 - 1.13.3 (2 CPE variants)

hashicorp/consul 1.13.0 - 1.14.0Go

Published Nov 16, 2022

Tracked Since Feb 18, 2026