ID CVE-2021-36213
Summary HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
References
Vulnerable Configurations
  • cpe:2.3:a:hashicorp:consul:1.9.0:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.0:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.1:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.1:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.2:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.2:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.3:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.3:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.4:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.4:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.5:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.5:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.6:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.6:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.7:*:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.7:*:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.1:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.1:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.2:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.2:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.3:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.3:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.4:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.4:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.5:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.5:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.6:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.6:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.9.7:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.9.7:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:-:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:-:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:alpha:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:alpha:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:beta1:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:beta1:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:beta2:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:beta2:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:beta3:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:beta3:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:beta4:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:beta4:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:rc:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:rc:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:rc2:*:*:-:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:rc2:*:*:-:*:*:*
  • cpe:2.3:a:hashicorp:consul:1.10.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:hashicorp:consul:1.10.0:*:*:*:enterprise:*:*:*
CVSS
Base: 5.0 (as of 29-07-2021 - 13:55)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
Last major update 29-07-2021 - 13:55
Published 17-07-2021 - 18:15
Last modified 29-07-2021 - 13:55
Back to Top