Fluid Attacks Database

Description

HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/consul	>=1.8.1 <1.11.9 \|\| >=1.12.0 <1.12.5 \|\| >=1.13.0 <1.13.2	1.11.9, 1.12.5, 1.13.2
debian 11	consul	=1.10.12+dfsg1-1 \|\| =1.8.7+dfsg1-2 \|\| =1.8.7+dfsg1-3 \|\| =1.8.7+dfsg1-4 \|\| =1.8.7+dfsg1-5 \|\| =1.8.7+dfsg1-6 \|\| =1.9.17+dfsg2-1	-
go	github.com/hashicorp/consul/acl	>=1.8.1 <1.11.9 \|\| =1.12.4 \|\| =1.13.1	1.11.9

Aliases

1. CVE-2021-418032. NVD-2021-418033. OSV-2021-418034. OSV-DEBIAN-2021-418035. GCVE-2021-418036. SECURITY-TRACKER-CVE-2021-41803

References

1. https://github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7fee2. https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/446273. https://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC4. https://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE5. https://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI6. https://www.hashicorp.com/blog/category/consul