CVE-2022-3920 is a medium-severity vulnerability affecting HashiCorp Consul versions 1.13.0 through 1.13.3, including Consul Enterprise editions. The vulnerability arises from missing authorization checks (CWE-862) in the cluster filtering mechanism for imported nodes and services when accessed via HTTP or RPC endpoints used by the Consul UI. Specifically, the affected versions do not properly filter or restrict access to these imported nodes and services, allowing unauthenticated remote attackers to query information about cluster nodes and services that should be restricted. The vulnerability does not allow modification or disruption of services (no integrity or availability impact), but it does expose some level of confidential information about the cluster topology and services. The flaw was addressed and fixed in Consul version 1.14.0. The CVSS v3.1 base score is 5.3 (medium), reflecting the vulnerability's network attack vector, low attack complexity, no privileges required, and no user interaction needed, but limited to confidentiality impact only. There are no known exploits in the wild as of the published date. This vulnerability primarily impacts environments where Consul is deployed with UI or RPC endpoints exposed to untrusted networks without additional access controls or network segmentation. The issue stems from insufficient authorization filtering on imported nodes and services, which could be leveraged by attackers to gain insight into internal service configurations and potentially aid in further reconnaissance or targeted attacks.

For European organizations, the exposure of internal service and node information due to this vulnerability can facilitate attackers' reconnaissance efforts, potentially leading to more targeted and sophisticated attacks. Organizations using Consul for service discovery and configuration management in critical infrastructure, financial services, telecommunications, or government sectors may face increased risk of information leakage. Although the vulnerability does not directly allow service disruption or data modification, the confidentiality loss can undermine security postures and compliance with data protection regulations such as GDPR, especially if sensitive operational details are exposed. The risk is heightened in environments where Consul UI or RPC endpoints are accessible from untrusted networks or insufficiently segmented internal networks. Attackers could leverage this information to map network topology, identify critical services, and plan lateral movement or privilege escalation attacks. This could impact availability and integrity indirectly if followed by further exploitation. Given the widespread adoption of HashiCorp Consul in cloud-native and microservices architectures across Europe, the vulnerability poses a moderate but non-negligible threat to organizations relying on these deployments.

1. Upgrade all affected Consul instances to version 1.14.0 or later, where the vulnerability is fixed. 2. Restrict network access to Consul UI and RPC endpoints using firewall rules, VPNs, or zero-trust network segmentation to ensure only authorized administrators and services can reach these interfaces. 3. Implement strong authentication and authorization controls for Consul UI and API endpoints, including mutual TLS where supported. 4. Regularly audit and monitor access logs for unusual or unauthorized queries to Consul endpoints to detect potential reconnaissance activity. 5. If upgrading immediately is not feasible, consider disabling the UI or RPC endpoints or placing them behind additional access control proxies. 6. Review and tighten Consul ACL policies to minimize exposure of sensitive cluster information. 7. Incorporate vulnerability scanning and configuration management tools to detect and remediate vulnerable Consul versions in the environment. 8. Educate DevOps and security teams about the risks of exposing service discovery tools and enforce secure deployment best practices.