CVE-2021-32574

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Consul and Consul Enterprise versions 1.3.0 through 1.10.0

Description The issue is related to the absence of validation of the destination service identity in the encoded subject alternative name in the Envoy proxy TLS configuration. This allows a remote attacker to impact data integrity. The xds does not ensure that the Subject Alternative Name of an upstream is validated.

Recommendations For versions 1.3.0 through 1.7.13, update to version 1.8.14. For versions 1.8.0 through 1.9.7, update to version 1.9.8. For versions 1.10.0, update to version 1.10.1. As a temporary workaround, consider restricting access to the vulnerable xds component until a patch is available.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALT-PU-2021-3445

ALT-PU-2023-7106

ALT-PU-2024-8028

BDU:2022-01882

BIT-CONSUL-2021-32574

CVE-2021-32574

GHSA-25GF-8QRR-G78R

GO-2022-0894

Affected Products

Alt Linux

Hashicorp Consul Enterprise

Debian

Hashicorp Consul

CVE-2021-32574

Weakness Enumeration

Related Identifiers

Affected Products

References · 21