CVE-2023-3518 — Incorrect Privilege Assignment in Hashicorp Consul

CWE-266 — Incorrect Privilege Assignment CWE-285 — Improper Authorization5 documents4 sources

Severity

7.3HIGHNVD

EPSS

0.2%

top 62.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Consul Hashicorp Consul Enterprise Hashicorp Consul +1 more

Timeline

PublishedAug 9

Latest updateJun 4

Description

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages4 packages

▶CVEListV5hashicorp/consul_enterprise1.16.0

▶Gogithub.com/hashicorp_consul1.16.0 — 1.16.1

▶NVDhashicorp/consul1.16.0

▶debiandebian/consul

🔴Vulnerability Details

OSV

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul↗2024-06-04

▶

GHSA

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers↗2023-08-09

▶

OSV

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers↗2023-08-09

▶

📋Vendor Advisories

Debian

CVE-2023-3518: consul - HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service me...↗2023

▶