CVE-2021-41803: Missing Authorization

September 23, 2022 (updated November 7, 2023)

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

References

discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
nvd.nist.gov/vuln/detail/CVE-2021-41803
www.hashicorp.com/blog/category/consul

Detect and mitigate CVE-2021-41803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →