CVE-2023-3518
published 2023-08-09CVE-2023-3518: HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in…
PriorityP342high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.38%
29.8th percentile
HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| github.com | hashicorp_consul | >= 1.16.0 < 1.16.1 | 1.16.1 |
| hashicorp | consul | — | — |
| hashicorp | consul_enterprise | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa7.3HIGH
osv7.3HIGH
vendor_debian7.4LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul
osv·2024-06-04
CVE-2023-3518 Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul
GHSA
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers
ghsa·2023-08-09·CVSS 7.3
CVE-2023-3518 [HIGH] CWE-266 Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers
A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.
OSV
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers
osv·2023-08-09·CVSS 7.3
CVE-2023-3518 [HIGH] Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers
Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers
A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.
Debian
CVE-2023-3518: consul - HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service me...
vendor_debian·2023·CVSS 7.4
CVE-2023-3518 [HIGH] CVE-2023-3518: consul - HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service me...
HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-08-09
Published