CVE-2021-38698
MEDIUM6.5EPSS 0.56%HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul
Published: 9/8/2021Modified: 4/28/2026
Description
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
Affected packages (4)
- Bitnami/consulfrom 0, < 1.8.15, >= 1.9.0, < 1.9.9, >= 1.10.0, < 1.10.2
- Debian/consulfrom 0
- Go/github.com/hashicorp/consul>= 1.10.1, < 1.10.2
- Go/github.com/hashicorp/consulfrom 0, < 1.8.15, >= 1.9.0, < 1.9.9, >= 1.10.1, < 1.10.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (8)
- ADVISORYhttps://github.com/advisories/GHSA-6hw5-6gcx-phmw
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-38698
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-38698
- PATCHhttps://github.com/hashicorp/consul
- WEBhttps://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
- WEBhttps://github.com/hashicorp/consul/pull/10824
- WEBhttps://security.gentoo.org/glsa/202208-09
- WEBhttps://www.hashicorp.com/blog/category/consul