Vulnerabilities > CVE-2021-41805 - Incorrect Authorization vulnerability in Hashicorp Consul
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871
- https://discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871
- https://security.netapp.com/advisory/ntap-20211229-0007/
- https://security.netapp.com/advisory/ntap-20211229-0007/
- https://www.hashicorp.com/blog/category/consul
- https://www.hashicorp.com/blog/category/consul