Hi, JFrog Xray detects CVE-2023-44487 in go library “apimachinery” included in consul binary (1.21.5). Bullettin HCSEC-2023-32 (November 2023) declares the CVE as fixed in consul version 1.14 and later.
Is there any official statement related to whether CVE-2023-44487 detected in apimachinery library causes recent consul versions to be vulnerable?
Hi,
We do have the same issues, Can someone reply to queries from dodaus?
The apimachinery version v0.26.2 is used by consul 1.21.5 and in latest version 1.22.1, the Xray scan detects it with CVE-2023-44487.
Please let us know if there is a clear statement from Hashicorp that consul 1.21.5 and 1.22.1 are not affected by CVE-2023-44487.
Regards,
Gino