Application-Aware Intention Deny Action Flaw in HashiCorp Consul and Consul Enterprise
CVE-2021-36213

7.5HIGH

Key Information:

Vendor
Hashicorp
Status
Consul
Vendor
CVE Published:
17 July 2021

Summary

The assignment of a default deny policy in HashiCorp Consul and Consul Enterprise versions from 1.9.0 to 1.10.0 is flawed. When combined with a single L7 application-aware intention deny action, this flaw leads to the incorrect evaluation of the intention, causing it to improperly fail open. As a result, Layer 4 (L4) traffic, which should be restricted, is inadvertently allowed to pass through, potentially exposing the environment to malicious access. This issue has been addressed in versions 1.9.8 and 1.10.1.

References

https://www.hashicorp.com/blog/category/consul
x_refsource_MISC
https://github.com/hashicorp/consul/releases/tag/v1.10.1
x_refsource_CONFIRM
https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-ap...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.