Fluid Attacks Database

Description

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/consul/acl	=1.16.0	1.16.1
go	github.com/hashicorp/consul	=1.16.0 \|\| >=1.16.0 <1.16.1	1.16.1
go	github.com/hashicorp/consul/agent/xds	>=0 <1.16.1	1.16.1

Aliases

1. CVE-2023-35182. NVD-2023-35183. OSV-2023-35184. GCVE-2023-3518

References

1. https://discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/570042. https://github.com/hashicorp/consul/pull/18062

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.