Input Validation Flaw in HasciCorp Consul Leading to JWT Claim Vulnerabilities
CVE-2021-41803

7.1HIGH

Key Information:

Vendor: Hashicorp
Status: Consul
Vendor: CVE Published:; 23 September 2022

Summary

An input validation error has been identified in HashiCorp Consul versions ranging from 1.8.1 to 1.11.8, as well as 1.12.4 and 1.13.1. The vulnerability arises when node or segment names are not adequately validated before being interpolated in JSON Web Token (JWT) claim assertions during the auto configuration remote procedure call (RPC). This oversight can potentially lead to unauthorized access or manipulation of sensitive data. Users are advised to update to fixed versions 1.11.9, 1.12.5, or 1.13.2 to secure their deployments against this issue.

References

https://www.hashicorp.com/blog/category/consul

https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto...

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 23, 2022
Vulnerability Reserved
Sep 29, 2021