CVE-2021-41803 – github.com/hashicorp/consul

Package

Manager: go
Name: github.com/hashicorp/consul
Vulnerable Version: >=1.8.1 <1.11.9 || >=1.12.0 <1.12.5 || >=1.13.0 <1.13.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00216 pctl0.44179

Details

HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

Metadata

Created: 2022-09-25T00:00:15Z
Modified: 2024-04-22T19:08:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hr3v-8cp3-68rf/GHSA-hr3v-8cp3-68rf.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-hr3v-8cp3-68rf
Finding: F039
Auto approve: 1