CVE-2023-3518

HIGH7.4EPSS 0.13%

JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Providers for Access

發布日:2023/8/9修改日:2025/11/6

也稱為:GHSA-9rhf-q362-77mxBIT-consul-2023-3518CGA-674j-xmrj-29xpGO-2024-2704

描述

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

受影響套件(3)

Bitnami/consul>= 1.16.0, < 1.16.1
Go/github.com/hashicorp/consul>= 1.16.0, < 1.16.1
Go/github.com/hashicorp/consul>= 1.16.0, < 1.16.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

參考連結(4)

ADVISORYhttps://github.com/advisories/GHSA-9rhf-q362-77mx
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-3518
PATCHhttps://github.com/hashicorp/consul
WEBhttps://discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004