cbcvebase.
CVE-2021-41805
published 2021-12-12

CVE-2021-41805: HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
34.79%
98.2th percentile
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianconsul
hashicorpconsul>= 1.10.0 < 1.10.41.10.4
hashicorpconsul>= 1.7.0 < 1.8.171.8.17
hashicorpconsul>= 1.9.0 < 1.9.111.9.11

Detection & IOCsextracted from sources · hover to see the quote

  • Privilege escalation via ACL token with operator:write permissions used across namespaces in HashiCorp Consul Enterprise — monitor for ACL token usage attempting operations in namespaces other than the token's own namespace
  • ·Vulnerability affects HashiCorp Consul Enterprise only (not open-source Consul); fixed in versions 1.8.17, 1.9.11, and 1.10.4 — verify deployed version is patched
  • ·The vulnerable permission level is the default operator:write — any ACL token granted this default permission in a multi-namespace deployment should be treated as potentially capable of cross-namespace privilege escalation until patched

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.