Vulnerability

CVE-2021-41803

 Report advisory or correction

CVSS Score 7.1 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CWE

CWE-862

References

https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
https://github.com/hashicorp/consul/pull/14577
https://github.com/hashicorp/consul/pull/14580
https://github.com/hashicorp/consul/pull/14581
https://github.com/hashicorp/consul/pull/14582
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41803

[CVE-2021-41803] CWE-862: Missing Authorization

Description

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

See github.com/hashicorp/consul/sdk package information