CVE-2021-41803
HIGH7.1EPSS 0.31%Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul
發布日:2022/9/25修改日:2026/4/28
描述
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
受影響套件(4)
- Bitnami/consul>= 1.8.1, < 1.11.9, >= 1.12.4, < 1.12.5, >= 1.13.1, < 1.13.2
- Debian/consulfrom 0
- Go/github.com/hashicorp/consul>= 1.8.1, < 1.11.9
- Go/github.com/hashicorp/consul>= 1.8.1, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
參考連結(12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41803
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-41803
- PATCHhttps://github.com/hashicorp/consul
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
- WEBhttps://github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7fee
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI
- WEBhttps://www.hashicorp.com/blog/category/consul