Vulnerabilities > CVE-2021-36213 - Unspecified vulnerability in Hashicorp Consul

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

hashicorp

NVD

Published: 2021-07-17

Updated: 2022-09-14

Summary

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.

Vulnerable Configurations

Part	Description	Count
Application	Hashicorp Hashicorp Consul 1.10.0 Hashicorp Consul 1.9.0 Hashicorp Consul 1.9.1 Hashicorp Consul 1.9.2 Hashicorp Consul 1.9.3 Hashicorp Consul 1.9.4 Hashicorp Consul 1.9.5 Hashicorp Consul 1.9.6 Hashicorp Consul 1.9.7	25

References

https://www.hashicorp.com/blog/category/consul
https://github.com/hashicorp/consul/releases/tag/v1.10.1
https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855
https://security.gentoo.org/glsa/202208-09