JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access

CVE-2023-3518

7.4HIGH

Key Information

Vendor: Hashicorp
Status: Consul; Consul Enterprise
Vendor: CVE Published:; 9 August 2023

Summary

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

Affected Version(s)

Consul = 1.16.0

Consul Enterprise = 1.16.0

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Risk change from: 7.3 to: 7.4 - (HIGH)
Oct 8, 2024
Risk change from: 7.3 to: 7.4 - (HIGH)
Sep 26, 2024
Vulnerability published.
Aug 9, 2023
Vulnerability Reserved.
Jul 5, 2023

Collectors

NVD DatabaseMitre Database

.