CVE-2021-41805
published 2021-12-12CVE-2021-41805: HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
34.79%
98.2th percentile
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| hashicorp | consul | >= 1.10.0 < 1.10.4 | 1.10.4 |
| hashicorp | consul | >= 1.7.0 < 1.8.17 | 1.8.17 |
| hashicorp | consul | >= 1.9.0 < 1.9.11 | 1.9.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Privilege escalation via ACL token with operator:write permissions used across namespaces in HashiCorp Consul Enterprise — monitor for ACL token usage attempting operations in namespaces other than the token's own namespace ↗
- ·Vulnerability affects HashiCorp Consul Enterprise only (not open-source Consul); fixed in versions 1.8.17, 1.9.11, and 1.10.4 — verify deployed version is patched ↗
- ·The vulnerable permission level is the default operator:write — any ACL token granted this default permission in a multi-namespace deployment should be treated as potentially capable of cross-namespace privilege escalation until patched ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-crxx-35wq-w63c: HashiCorp Consul Enterprise before 1
ghsa_unreviewed·2021-12-13
CVE-2021-41805 [HIGH] CWE-863 GHSA-crxx-35wq-w63c: HashiCorp Consul Enterprise before 1
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
OSV
CVE-2021-41805: HashiCorp Consul Enterprise before 1
osv·2021-12-12·CVSS 8.8
CVE-2021-41805 [HIGH] CVE-2021-41805: HashiCorp Consul Enterprise before 1
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Debian
CVE-2021-41805: consul - HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x befor...
vendor_debian·2021·CVSS 8.8
CVE-2021-41805 [HIGH] CVE-2021-41805: consul - HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x befor...
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871https://security.netapp.com/advisory/ntap-20211229-0007/https://www.hashicorp.com/blog/category/consulhttps://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871https://security.netapp.com/advisory/ntap-20211229-0007/https://www.hashicorp.com/blog/category/consul
2021-12-12
Published