CVE-2021-38698: Incorrect Authorization

September 7, 2021 (updated September 14, 2022)

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

References

discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
github.com/advisories/GHSA-6hw5-6gcx-phmw
github.com/hashicorp/consul/pull/10824
nvd.nist.gov/vuln/detail/CVE-2021-38698
www.hashicorp.com/blog/category/consul

Detect and mitigate CVE-2021-38698 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →