CVE-2021-36213
published 2021-07-17CVE-2021-36213: HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.74%
74.9th percentile
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| github.com | hashicorp_consul | >= 0 < 1.10.1 | 1.10.1 |
| hashicorp | consul | >= 1.10.0 < 1.10.1 | 1.10.1 |
| hashicorp | consul | >= 1.9.0 < 1.9.8 | 1.9.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2021-36213: consul - HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy ...
vendor_debian·2021·CVSS 7.5
CVE-2021-36213 [HIGH] CVE-2021-36213: consul - HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy ...
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
Scope: local
bullseye: resolved
OSV
HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
osv·2024-08-21
CVE-2021-36213 HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul
GHSA
HashiCorp Consul L7 deny intention results in an allow action
ghsa·2021-07-19
CVE-2021-36213 [HIGH] HashiCorp Consul L7 deny intention results in an allow action
HashiCorp Consul L7 deny intention results in an allow action
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.
OSV
HashiCorp Consul L7 deny intention results in an allow action
osv·2021-07-19
CVE-2021-36213 [HIGH] HashiCorp Consul L7 deny intention results in an allow action
HashiCorp Consul L7 deny intention results in an allow action
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.
OSV
CVE-2021-36213: HashiCorp Consul and Consul Enterprise 1
osv·2021-07-17·CVSS 7.5
CVE-2021-36213 [HIGH] CVE-2021-36213: HashiCorp Consul and Consul Enterprise 1
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855https://github.com/hashicorp/consul/releases/tag/v1.10.1https://security.gentoo.org/glsa/202208-09https://www.hashicorp.com/blog/category/consulhttps://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855https://github.com/hashicorp/consul/releases/tag/v1.10.1https://security.gentoo.org/glsa/202208-09https://www.hashicorp.com/blog/category/consul
2021-07-17
Published