CVE-2022-24687

NameCVE-2022-24687
DescriptionHashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.10.7, and 1.11.2 clusters with at least one Ingress Gateway allow a user with service:write to register a specifically-defined service that can cause Consul servers to panic. Fixed in 1.9.15, 1.10.8, and 1.11.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1006487

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
consul (PTS)buster1.0.7~dfsg1-5fixed
bullseye1.8.7+dfsg1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
consulsourcebuster(not affected)
consulsourcebullseye(unfixed)end-of-life
consulsource(unstable)1.9.17+dfsg2-11006487

Notes

[bullseye] - consul <end-of-life> (EOL in Bullseye)
[buster] - consul <not-affected> (Vulnerable Code not present)
https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/
https://github.com/hashicorp/consul/commit/d35c6a97cbdff252f5238d6b52f49786f896566a (v1.9.15)

Search for package or bug name: Reporting problems