GHSA-rqjq-ww83-wv5c

Suggest an improvement
Source
https://github.com/advisories/GHSA-rqjq-ww83-wv5c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-rqjq-ww83-wv5c/GHSA-rqjq-ww83-wv5c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rqjq-ww83-wv5c
Aliases
Published
2023-06-03T00:30:16Z
Modified
2023-12-06T01:02:57.286088Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Hashicorp Consul allows user with service:write permissions to patch remote proxy instances
Details

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

References

Affected packages

Go / github.com/hashicorp/consul

Package

Name
github.com/hashicorp/consul
View open source insights on deps.dev
Purl
pkg:golang/github.com/hashicorp/consul

Affected ranges

Type
SEMVER
Events
Introduced
1.15.0
Fixed
1.15.3