CVE-2021-32574Improper Certificate Validation in Hashicorp Consul

CWE-295Improper Certificate Validation6 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.8%
top 25.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Hashicorp ConsulHashicorp ConsulDebian Consul
Timeline
PublishedJul 17
Latest updateAug 21

Description

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDhashicorp/consul1.3.01.8.14+2
debiandebian/consul

🔴Vulnerability Details

4
OSV
Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul2024-08-21
GHSA
Hashicorp Consul Missing SSL Certificate Validation2021-07-19
OSV
Hashicorp Consul Missing SSL Certificate Validation2021-07-19
OSV
CVE-2021-32574: HashiCorp Consul and Consul Enterprise 12021-07-17

📋Vendor Advisories

1
Debian
CVE-2021-32574: consul - HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS conf...2021