Lucene search

GoogleOSV:BIT-CONSUL-2021-41803

HistoryMar 06, 2024 - 10:52 a.m.

BIT-consul-2021-41803

2024-03-0610:52:42

Google

osv.dev

hashicorp consul

node names

segment names

jwt claim assertions

auto config rpc

security vulnerability

software update

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

7 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

59.8%

JSON

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

CPENameOperatorVersion
consulle1.12.4
consulge1.13.1
consullt1.11.9
consulge1.8.1
consulle1.13.1
consulge1.12.4

Name	Operator	Version
consul	le	1.12.4
consul	ge	1.13.1
consul	lt	1.11.9
consul	ge	1.8.1
consul	le	1.13.1
consul	ge	1.12.4

References

discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/

www.hashicorp.com/blog/category/consul

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

7 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

59.8%

JSON

Related for OSV:BIT-CONSUL-2021-41803