CVE-2023-3518 JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access

2023-08-0915:06:52

CWE-285

HashiCorp

www.cve.org

cve-2023-3518

jwt auth

l7 intentions

hashicorp consul

consul enterprise

access control

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

0.0005 Low

EPSS

Percentile

17.0%

JSON

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

CNA Affected

[
  {
    "vendor": "HashiCorp",
    "product": "Consul",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "repo": "https://github.com/hashicorp/consul",
    "versions": [
      {
        "status": "affected",
        "version": "1.16.0"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "HashiCorp",
    "product": "Consul Enterprise",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "1.16.0"
      }
    ],
    "defaultStatus": "unaffected"
  }
]