CVE-2022-40716
Publication date 23 September 2022
Last updated 26 August 2025
Ubuntu priority
Description
HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| consul | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal | Ignored end of standard support, was needs-triage | |
| 18.04 LTS bionic | Ignored end of standard support, was needs-triage | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |