-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/consul | go | >= 1.15.0, < 1.15.3 | 1.15.3 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper privilege validation when applying Envoy extensions configured via service-defaults. The advisory indicates Lambda and Lua extensions shared configuration logic that incorrectly allowed service:write holders to modify downstream proxies via 'outbound' listeners. The functions handling extension application (particularly for non-Lambda extensions) would need to 1) process service-defaults configurations and 2) propagate changes to proxies without proper target service authorization checks. These functions are core to the privilege escalation mechanism described, even without direct access to the patch diff.