Lucene search

GitHub Advisory DatabaseGHSA-9RHF-Q362-77MX

HistoryAug 09, 2023 - 6:30 p.m.

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers

2023-08-0918:30:52

CWE-285

GitHub Advisory Database

github.com

consul

vulnerability

access

mismatched service identity

jwt provider

cve-2023-3518

fixed

1.16.0

1.16.1

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

A vulnerability was identified in Consul such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.

Affected configurations

Vulners

Node

github_advisory_databasegithub.com\/hashicorp\/consulMatch1.16.0

CPENameOperatorVersion
github.com/hashicorp/consuleq1.16.0

CPE	Name	Operator	Version
	github.com/hashicorp/consul	eq	1.16.0

References

discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004

github.com/advisories/GHSA-9rhf-q362-77mx

nvd.nist.gov/vuln/detail/CVE-2023-3518

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for GHSA-9RHF-Q362-77MX