CVE-2021-41803
- Source
- https://cve.org/CVERecord?id=CVE-2021-41803
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41803.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-41803
- Aliases
- Downstream
- Related
- Published
- 2022-09-23T01:15:08.623Z
- Modified
- 2026-04-10T04:38:44.969072Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
- https://www.hashicorp.com/blog/category/consul
- https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
Affected packages
Git / github.com/hashicorp/consul
Affected ranges
- Type
- GIT
- Repo
- https://github.com/hashicorp/consul
- Events
-
IntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "1.8.1" }, { "fixed": "1.11.9" }, { "introduced": "1.8.1" }, { "fixed": "1.11.9" }, { "introduced": "0" }, { "last_affected": "1.12.4" }, { "introduced": "0" }, { "last_affected": "1.12.4" }, { "introduced": "0" }, { "last_affected": "1.13.1" }, { "introduced": "0" }, { "last_affected": "1.13.1" } ] }
Affected versions
api/v1.*
api/v1.0.0
api/v1.0.1
api/v1.1.0
api/v1.10.0
api/v1.12.0
api/v1.13.0
api/v1.14.0
api/v1.2.0
api/v1.4.0
internal/v0.*
internal/v0.1.0
sdk/v0.*
sdk/v0.1.0
sdk/v0.1.1
sdk/v0.10.0
sdk/v0.11.0
sdk/v0.2.0
sdk/v0.4.0
sdk/v0.9.0
v0.*
v0.1.0
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.5.0
v0.5.0rc1
v0.5.1
v0.5.2
v0.6.0
v0.6.0-rc1
v0.6.0-rc2
v0.6.1
v0.6.3
v0.6.4
v0.6.4-rc3
v0.7.0
v0.7.0-rc1
v0.7.0-rc2
v0.7.1
v0.7.2
v0.7.2-rc1
v0.7.3
v0.7.4
v0.8.0
v0.8.0-rc1
v0.8.1
v0.8.2
v0.8.4
v0.8.5
v0.9.0
v0.9.0-rc1
v0.9.1
v0.9.2
v0.9.3
v0.9.3-rc1
v0.9.3-rc2
v1.*
v1.0.0
v1.0.0-beta1
v1.0.0-beta2
v1.0.1
v1.0.1-rc1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.1.0
v1.12.4
v1.13.0
v1.13.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.4.0
v1.4.0-rc1
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.7.0
v1.7.0-beta1
v1.7.0-beta2
v1.7.0-beta3