2189788 – (CVE-2021-41803) CVE-2021-41803 consul: Consul Auto-Config JWT Authorization Missing Input Validation

Bug 2189788 (CVE-2021-41803) - CVE-2021-41803 consul: Consul Auto-Config JWT Authorization Missing Input Validation

Summary: CVE-2021-41803 consul: Consul Auto-Config JWT Authorization Missing Input Val...

Keywords:
Status:	NEW
Alias:	CVE-2021-41803
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2189789 2189790 2189791 2189792 2189793 2189794
Blocks:	2189661
TreeView+	depends on / blocked

Reported:	2023-04-26 07:51 UTC by Avinash Hanwate
Modified:	2025-03-17 23:44 UTC (History)
CC List:	14 users (show)
Fixed In Version:	Consul 1.11.9, Consul 1.12.5, Consul 1.13.2
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-04-26 07:51:27 UTC

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."

https://www.hashicorp.com/blog/category/consul
https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627

Comment 1 Avinash Hanwate 2023-04-26 07:55:36 UTC

Created golang-github-hashicorp-consul tracking bugs for this issue:

Affects: fedora-all [bug 2189790]


Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2189791]


Created golang-github-hashicorp-consul-sdk tracking bugs for this issue:

Affects: fedora-all [bug 2189792]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2189789]

Note You need to log in before you can comment on or make changes to this bug.