Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-38698

CVE-2021-38698:
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.

6.5

CVSS Score

Basic Information

CVE ID
CVE-2021-38698
GHSA ID
GHSA-6hw5-6gcx-phmw
EPSS Score
-
CWE
CWE-862
Published
9/8/2021
Updated
1/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/consulgo= 1.10.11.10.2
github.com/hashicorp/consulgo>= 1.9.0, < 1.9.91.9.9
github.com/hashicorp/consulgo< 1.8.151.8.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing authorization checks in the Txn.Apply endpoint when handling proxy registrations. The linked PR #10824 shows fixes in proxycfg manager's token handling (ServiceToken function) where the default ACL token wasn't properly utilized when no service token was provided. This allowed services with any service:write permission to register proxies for unauthorized services. The Txn endpoint processing in txn_endpoint.go would execute these unauthorized operations due to the missing token validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp *onsul *n* *onsul *nt*rpris* *.**.* Txn.*pply *n*point *llow** s*rvi**s to r**ist*r proxi*s *or ot**r s*rvi**s, *n**lin* ****ss to s*rvi** tr***i*. *ix** in *.*.**, *.*.* *n* *.**.*.

Reasoning

T** vuln*r**ility st*mm** *rom missin* *ut*oriz*tion ****ks in t** Txn.*pply *n*point w**n **n*lin* proxy r**istr*tions. T** link** PR #***** s*ows *ix*s in proxy*** m*n***r's tok*n **n*lin* (S*rvi**Tok*n *un*tion) w**r* t** ****ult **L tok*n w*sn't