CVE-2021-32574
HIGH7.5EPSS 0.80%Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul
Published: 7/19/2021Modified: 4/28/2026
Description
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
Affected packages (4)
- Bitnami/consul>= 1.3.0, < 1.8.14, >= 1.9.0, < 1.9.8, >= 1.10.0, < 1.10.1
- Debian/consulfrom 0
- Go/github.com/hashicorp/consulfrom 0, < 1.10.1
- Go/github.com/hashicorp/consulfrom 0, < 1.10.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-25gf-8qrr-g78r
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32574
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-32574
- WEBhttps://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
- WEBhttps://github.com/hashicorp/consul/releases/tag/v1.10.1
- WEBhttps://security.gentoo.org/glsa/202208-09
- WEBhttps://www.hashicorp.com/blog/category/consul