CVE-2021-32574

HIGH7.5EPSS 0.80%

Hashicorp Consul Missing SSL Certificate Validation

發布日:2021/7/19修改日:2025/4/3

也稱為:GHSA-25gf-8qrr-g78rBIT-consul-2021-32574CGA-gcgj-5mw8-c96fGO-2022-0894

描述

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

受影響套件(4)

Bitnami/consul>= 1.3.0, < 1.8.14, >= 1.9.0, < 1.9.8, >= 1.10.0, < 1.10.1
Debian/consulfrom 0
Go/github.com/hashicorp/consulfrom 0, < 1.10.1
Go/github.com/hashicorp/consulfrom 0, < 1.10.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(7)

ADVISORYhttps://github.com/advisories/GHSA-25gf-8qrr-g78r
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32574
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-32574
WEBhttps://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
WEBhttps://github.com/hashicorp/consul/releases/tag/v1.10.1
WEBhttps://security.gentoo.org/glsa/202208-09
WEBhttps://www.hashicorp.com/blog/category/consul