CVE-2021-41803
HIGHHashiCorp Consul 1.8.1-1.11.8, 1.12.4, 1.13.1 - Missing Authorization via JWT Claim Assertion
Title source: llmDescription
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
Vendor Advisory
https://www.hashicorp.com/blog/category/consul
Scores
CVSS v3
7.1
EPSS
0.0031
EPSS Percentile
54.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (4)
hashicorp/consul
1.12.4 (2 CPE variants)
hashicorp/consul
1.13.1 (2 CPE variants)
hashicorp/consul
1.8.1 - 1.11.9 (2 CPE variants)
hashicorp/consul
1.8.1 - 1.11.9Go
Published
Sep 23, 2022
Tracked Since
Feb 18, 2026