GitHub Advisory DatabaseGHSA-CCW8-7688-VQX4HashiCorp Consul Privilege Escalation Vulnerability
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.7%
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/hashicorp/consul | lt | 1.8.15 | |
| github.com/hashicorp/consul | lt | 1.9.9 | |
| github.com/hashicorp/consul | eq | 1.10.1 |
References
discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalation/29024
github.com/advisories/GHSA-ccw8-7688-vqx4
github.com/hashicorp/consul/commit/3357e57dac9aadabd476f7a14973e47f003c4cf0
github.com/hashicorp/consul/commit/473edd1764b6739e2e4610ea5dede4c2bc6009d1
github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103
github.com/hashicorp/consul/pull/10925
nvd.nist.gov/vuln/detail/CVE-2021-37219
security.gentoo.org/glsa/202207-01
www.hashicorp.com/blog/category/consul
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
56.7%