CVE-2021-28156Authorization Bypass Through User-Controlled Key in Consul

CWE-639Authorization Bypass Through User-Controlled Key5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 36.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Hashicorp ConsulDebian Consul
Timeline
PublishedApr 20
Latest updateMay 24

Description

HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDhashicorp/consul1.8.01.8.10+1
debiandebian/consul

🔴Vulnerability Details

2
GHSA
GHSA-jw67-86pq-v324: HashiCorp Consul Enterprise version 12022-05-24
OSV
CVE-2021-28156: HashiCorp Consul Enterprise version 12021-04-20

📋Vendor Advisories

2
Red Hat
consul: Audit log requests bypass2021-04-16
Debian
CVE-2021-28156: consul - HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed ...2021