CVE-2021-41803 — Missing Authorization in Hashicorp Consul

CWE-862 — Missing Authorization7 documents5 sources

Severity

7.1HIGHNVD

EPSS

0.3%

top 45.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Consul Hashicorp Consul Debian Consul

Timeline

PublishedSep 23

Latest updateApr 5

Description

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶NVDhashicorp/consul1.8.1 — 1.11.9+2

▶Gogithub.com/hashicorp_consul1.8.1 — 1.11.9+2

▶debiandebian/consul

🔴Vulnerability Details

OSV

Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul↗2024-04-05

▶

OSV

HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions↗2022-09-25

▶

GHSA

HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions↗2022-09-25

▶

OSV

CVE-2021-41803: HashiCorp Consul 1↗2022-09-23

▶

📋Vendor Advisories

Red Hat

consul: Consul Auto-Config JWT Authorization Missing Input Validation↗2022-09-23

▶

Debian

CVE-2021-41803: consul - HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate...↗2021

▶