CVE-2023-3518 – github.com/hashicorp/consul

Package

Manager: go
Name: github.com/hashicorp/consul
Vulnerable Version: =1.16.0 || >=1.16.0 <1.16.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00104 pctl0.29005

Details

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.

Metadata

Created: 2023-08-09T18:30:52Z
Modified: 2024-04-01T18:32:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9rhf-q362-77mx/GHSA-9rhf-q362-77mx.json
CWE IDs: ["CWE-266", "CWE-285"]
Alternative ID: GHSA-9rhf-q362-77mx
Finding: F039
Auto approve: 1