CVE-2021-41803
HIGH7.1EPSS 0.31%Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul
Published: 9/25/2022Modified: 4/28/2026
Description
HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2."
Affected packages (4)
- Bitnami/consul>= 1.8.1, < 1.11.9, >= 1.12.4, < 1.12.5, >= 1.13.1, < 1.13.2
- Debian/consulfrom 0
- Go/github.com/hashicorp/consul>= 1.8.1, < 1.11.9
- Go/github.com/hashicorp/consul>= 1.8.1, < 1.11.9, >= 1.12.0, < 1.12.5, >= 1.13.0, < 1.13.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-41803
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-41803
- PATCHhttps://github.com/hashicorp/consul
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627
- WEBhttps://github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7fee
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI
- WEBhttps://www.hashicorp.com/blog/category/consul