HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
References
Link | Resource |
---|---|
https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856 | Vendor Advisory |
https://github.com/hashicorp/consul/releases/tag/v1.10.1 | Third Party Advisory |
https://security.gentoo.org/glsa/202208-09 | Third Party Advisory |
https://www.hashicorp.com/blog/category/consul | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2021-07-17 18:15
Updated : 2024-02-28 18:28
NVD link : CVE-2021-32574
Mitre link : CVE-2021-32574
CVE.ORG link : CVE-2021-32574
JSON object : View
Products Affected
hashicorp
- consul
CWE
CWE-295
Improper Certificate Validation