CVE-2023-3518

HIGH7.4EPSS 0.13%

JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access

Published: 8/9/2023Modified: 11/6/2025

Also known as:GHSA-9rhf-q362-77mxBIT-consul-2023-3518GO-2024-2704

Description

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

Affected packages (3)

Bitnami/consul>= 1.16.0, < 1.16.1
Go/github.com/hashicorp/consul>= 1.16.0, < 1.16.1
Go/github.com/hashicorp/consul>= 1.16.0, < 1.16.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References (4)

ADVISORYhttps://github.com/advisories/GHSA-9rhf-q362-77mx
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3518
PATCHhttps://github.com/hashicorp/consul
WEBhttps://discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004