CVE-2023-2816

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-2816

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-2816.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-2816

Aliases

Related

UBUNTU-CVE-2023-2816

Published

2023-06-02T23:15:09Z

Modified

2024-11-21T07:59:20Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

References

https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525

Affected packages

Git / github.com/hashicorp/consul

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/consul
Events: Introduced

e836c8c3c004167509ff4860ba268e6a0d8087df

Fixed

19a8c3734adb79a1839cfd1760e13b812bdaa49b