CVE-2021-41803
published 2022-09-23CVE-2021-41803: HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim…
PriorityP434high7.1CVSS 3.1
AVNACLPRLUINSUCLINAH
EPSS
0.82%
52.7th percentile
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| github.com | hashicorp_consul | >= 1.12.0 < 1.12.5 | 1.12.5 |
| github.com | hashicorp_consul | >= 1.13.0 < 1.13.2 | 1.13.2 |
| github.com | hashicorp_consul | >= 1.8.1 < 1.11.9 | 1.11.9 |
| hashicorp | consul | — | — |
| hashicorp | consul | — | — |
| hashicorp | consul | >= 1.8.1 < 1.11.9 | 1.11.9 |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
osv7.1HIGH
vendor_debian7.1HIGH
vendor_redhat7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
consul: Consul Auto-Config JWT Authorization Missing Input Validation
vendor_redhat·2022-09-23·CVSS 7.1
CVE-2021-41803 [HIGH] CWE-862 consul: Consul Auto-Config JWT Authorization Missing Input Validation
consul: Consul Auto-Config JWT Authorization Missing Input Validation
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
A flaw was found in HashiCorp Consul, where it is vulnerable to a denial of service caused by improper input validation for the node or segment names. By sending a specially-crafted request, a remote, authenticated attacker can cause a denial of service.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stabilit
Debian
CVE-2021-41803: consul - HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate...
vendor_debian·2021·CVSS 7.1
CVE-2021-41803 [HIGH] CVE-2021-41803: consul - HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate...
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
Scope: local
bullseye: open
OSV
Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul
osv·2024-04-05
CVE-2021-41803 Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul
Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul
HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.
OSV
HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
osv·2022-09-25
CVE-2021-41803 [HIGH] HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.
GHSA
HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
ghsa·2022-09-25
CVE-2021-41803 [HIGH] CWE-862 HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.
OSV
CVE-2021-41803: HashiCorp Consul 1
osv·2022-09-23·CVSS 7.1
CVE-2021-41803 [HIGH] CVE-2021-41803: HashiCorp Consul 1
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/https://www.hashicorp.com/blog/category/consulhttps://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/https://www.hashicorp.com/blog/category/consul
2022-09-23
Published