New vuln: Observable Timing Discrepancy in hashicorp/consul

[HenriqueOCabral]

No description provided.

[kapyteinaikido]

The changelog also mentions two other vulnerabilities (which we should maybe cover in separate advisories).

agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [https://github.com/hashicorp/consul/issues/22534]

agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [https://github.com/hashicorp/consul/issues/22626]

Is there an existing (GitHub) security advisory for those?

[HenriqueOCabral]

The changelog also mentions two other vulnerabilities (which we should maybe cover in separate advisories).

agent: Fix a security vulnerability to filter out anonymous tokens along with empty tokens when setting the Results-Filtered-By-ACLs header [https://github.com/hashicorp/consul/issues/22534]

agent: Fix a security vulnerability where the attacker could read agent’s TLS certificate and private key by using the group ID that the Consul agent runs as. [https://github.com/hashicorp/consul/issues/22626]

Is there an existing (GitHub) security advisory for those?

That was a good catch, I was rushing through many repos and didn't notice the first one was affecting not only unit test code and the other one might be good to document the mitigation so many folks could fix it even without patching the lib. I'll create them :)

[HenriqueOCabral]

#866

#867

@kapyteinaikido