CVE-2023-2816

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*

History

26 Sep 2024, 19:15

Type Values Removed Values Added
CWE CWE-284 CWE-266

12 Jun 2023, 16:32

Type Values Removed Values Added
CPE cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
First Time Hashicorp
Hashicorp consul
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
References (MISC) https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525 - (MISC) https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525 - Vendor Advisory
CWE NVD-CWE-noinfo

02 Jun 2023, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-02 23:15

Updated : 2024-09-26 19:15


NVD link : CVE-2023-2816

Mitre link : CVE-2023-2816

CVE.ORG link : CVE-2023-2816


JSON object : View

Products Affected

hashicorp

  • consul
CWE
NVD-CWE-noinfo CWE-266

Incorrect Privilege Assignment