Miggo Logo

CVE-2021-41803: HashiCorp Consul does not properly validate node or segment names prior to usage in JWT claim assertions

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.50695%
Published
9/25/2022
Updated
4/22/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/consulgo>= 1.8.1, < 1.11.91.11.9
github.com/hashicorp/consulgo>= 1.12.0, < 1.12.51.12.5
github.com/hashicorp/consulgo>= 1.13.0, < 1.13.21.13.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation in the JWT authorization process for auto-config requests. The commit diff shows added regex validation for node/segment/partition fields in jwtAuthorizer.Authorize(), indicating these parameters were previously unvalidated. The CWE-862 (Missing Authorization) aligns with insufficient validation before using these parameters in security-critical JWT claim assertions. The vulnerable function handles the authorization logic and would have processed untrusted input without sanitization prior to the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp *onsul *.*.* up to *.**.*, *.**.*, *n* *.**.* *i* not prop*rly v*li**t* t** no** or s**m*nt n*m*s prior to int*rpol*tion *n* us*** in JWT *l*im *ss*rtions wit* t** *uto *on*i* RP*. *ix** in *.**.*, *.**.*, *n* *.**.*.

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion in t** JWT *ut*oriz*tion pro**ss *or *uto-*on*i* r*qu*sts. T** *ommit *i** s*ows ***** r***x v*li**tion *or no**/s**m*nt/p*rtition *i*l*s in `jwt*ut*oriz*r.*ut*oriz*()`, in*i**tin* t**s* p*r*m*t*r