HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filter cluster filtering's imported nodes and services for HTTP or RPC endpoints used by the UI. Fixed in 1.14.0. https://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946
Created golang-github-hashicorp-consul-api tracking bugs for this issue: Affects: fedora-35 [bug 2148171] Affects: fedora-36 [bug 2148174] Created golang-github-hashicorp-consul-sdk tracking bugs for this issue: Affects: fedora-35 [bug 2148172] Affects: fedora-36 [bug 2148175] Created moby-engine tracking bugs for this issue: Affects: fedora-35 [bug 2148173] Affects: fedora-36 [bug 2148176]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-3920