CVE-2021-41803: HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions
7.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50695%
CWE
Published
9/25/2022
Updated
4/22/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/hashicorp/consul | go | >= 1.8.1, < 1.11.9 | 1.11.9 |
github.com/hashicorp/consul | go | >= 1.12.0, < 1.12.5 | 1.12.5 |
github.com/hashicorp/consul | go | >= 1.13.0, < 1.13.2 | 1.13.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing input validation in the JWT authorization process for auto-config requests. The commit diff shows added regex validation for node/segment/partition fields in jwtAuthorizer.Authorize()
, indicating these parameters were previously unvalidated. The CWE-862 (Missing Authorization) aligns with insufficient validation before using these parameters in security-critical JWT claim assertions. The vulnerable function handles the authorization logic and would have processed untrusted input without sanitization prior to the patch.