Affected by GO-2022-0559
and 9 other vulnerabilities
GO-2022-0559: HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul
GO-2022-0593: HashiCorp Consul Privilege Escalation Vulnerability in github.com/hashicorp/consul
GO-2022-0615: Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
GO-2022-0894: Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul
GO-2022-0895: HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
GO-2022-0953: HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers in github.com/hashicorp/consul
GO-2022-1029: HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul
GO-2023-1827: Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul
GO-2023-1851: HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
GO-2024-3242: Hashicorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul
Note that to verify via the cross-signed intermediate, openssl requires it to
be bundled with the _root_ CA bundle and will ignore the cert if it's passed
with the subject. You can do that with:
Note that the same leaf and root without the intermediate should fail:
$ openssl verify -verbose -CAfile ca1-ca.cert.pem ca2-svc-db.cert.pem
ca2-svc-db.cert.pem: CN = db
error 20 at 0 depth lookup:unable to get local issuer certificate
NOTE: THIS IS A QUIRK OF OPENSSL; in Connect we distribute the roots alone
and stable intermediates like the XC cert to the _leaf_.