Vulnerabilities > CVE-2023-2816 - Unspecified vulnerability in Hashicorp Consul 1.15.0

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

hashicorp

NVD

Published: 2023-06-02

Updated: 2024-09-26

Summary

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Vulnerable Configurations

Part	Description	Count
Application	Hashicorp Hashicorp Consul 1.15.0	2

References

https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525