GHSA-hr3v-8cp3-68rf

Source

https://github.com/advisories/GHSA-hr3v-8cp3-68rf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hr3v-8cp3-68rf/GHSA-hr3v-8cp3-68rf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hr3v-8cp3-68rf

Aliases

Related

CGA-x38p-p6h4-33cc

Published

2022-09-25T00:00:15Z

Modified

2024-04-22T19:08:30Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator

Summary

HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions

Details

HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 did not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.

Database specific

{
    "nvd_published_at": "2022-09-23T01:15:00Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-02T20:30:12Z"
}

References

Affected packages

Go / github.com/hashicorp/consul

Package

Name: github.com/hashicorp/consul; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/consul

Affected ranges

Type: SEMVER
Events: Introduced

1.8.1

Fixed

1.11.9

Go / github.com/hashicorp/consul

Package

Name: github.com/hashicorp/consul; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/consul

Affected ranges

Type: SEMVER
Events: Introduced

1.12.0

Fixed

1.12.5

Go / github.com/hashicorp/consul

Package

Name: github.com/hashicorp/consul; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/consul

Affected ranges

Type: SEMVER
Events: Introduced

1.13.0

Fixed

1.13.2