CVE-2021-41803

{"id": "CVE-2021-41803", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2022-09-23T01:15:08.623", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/", "source": "cve@mitre.org"}, {"url": "https://www.hashicorp.com/blog/category/consul", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.\""}, {"lang": "es", "value": "HashiCorp Consul versiones 1.8.1 hasta 1.11.8, 1.12.4 y 1.13.1, no comprueban apropiadamente los nombres de nodos o segmentos antes de la interpolaci\u00f3n y el uso en las aserciones de reclamaci\u00f3n JWT con el RPC de configuraci\u00f3n autom\u00e1tica. Corregido en versiones 1.11.9, 1.12.5 y 1.13.2\"."}], "lastModified": "2023-11-07T03:39:01.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "5383A26F-D49C-435F-A81D-15A1A7A74215", "versionEndExcluding": "1.11.9", "versionStartIncluding": "1.8.1"}, {"criteria": "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "E72F2F36-94E2-40D8-AC42-805F3EB54922", "versionEndExcluding": "1.11.9", "versionStartIncluding": "1.8.1"}, {"criteria": "cpe:2.3:a:hashicorp:consul:1.12.4:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "4A8E6F38-D34C-4EAE-98C6-6C65ACF35BEA"}, {"criteria": "cpe:2.3:a:hashicorp:consul:1.12.4:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "6A7455E7-398A-42A5-946A-2497B88394F2"}, {"criteria": "cpe:2.3:a:hashicorp:consul:1.13.1:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "80BC2226-63EB-41E2-BEB4-4B3A84393E48"}, {"criteria": "cpe:2.3:a:hashicorp:consul:1.13.1:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "5A31B819-4F49-42A3-9685-CE34440A4850"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}