GHSA-hr3v-8cp3-68rf

Suggest an improvement
Source
https://github.com/advisories/GHSA-hr3v-8cp3-68rf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hr3v-8cp3-68rf/GHSA-hr3v-8cp3-68rf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hr3v-8cp3-68rf
Aliases
Published
2022-09-25T00:00:15Z
Modified
2024-04-22T19:08:30Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
Details

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

References

Affected packages

Go / github.com/hashicorp/consul

Package

Name
github.com/hashicorp/consul
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul

Affected ranges

Type
SEMVER
Events
Introduced
1.8.1
Fixed
1.11.9

Go / github.com/hashicorp/consul

Package

Name
github.com/hashicorp/consul
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul

Affected ranges

Type
SEMVER
Events
Introduced
1.12.0
Fixed
1.12.5

Go / github.com/hashicorp/consul

Package

Name
github.com/hashicorp/consul
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul

Affected ranges

Type
SEMVER
Events
Introduced
1.13.0
Fixed
1.13.2