Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-2816

CVE-2023-2816:
Hashicorp Consul allows user with service:write permissions to patch remote proxy instances

8.7

CVSS Score

Basic Information

CVE ID
CVE-2023-2816
GHSA ID
GHSA-rqjq-ww83-wv5c
EPSS Score
-
CWE
CWE-266
Published
6/3/2023
Updated
9/26/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/consulgo>= 1.15.0, < 1.15.31.15.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper privilege validation when applying Envoy extensions configured via service-defaults. The advisory indicates Lambda and Lua extensions shared configuration logic that incorrectly allowed service:write holders to modify downstream proxies via 'outbound' listeners. The functions handling extension application (particularly for non-Lambda extensions) would need to 1) process service-defaults configurations and 2) propagate changes to proxies without proper target service authorization checks. These functions are core to the privilege escalation mechanism described, even without direct access to the patch diff.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*onsul *n* *onsul *nt*rpris* *llow** *ny us*r wit* s*rvi**:writ* p*rmissions to us* *nvoy *xt*nsions *on*i*ur** vi* s*rvi**-****ults to p*t** r*mot* proxy inst*n**s t**t t*r**t t** *on*i*ur** s*rvi**, r***r*l*ss o* w**t**r t** us*r **s p*rmission to

Reasoning

T** vuln*r**ility st*ms *rom improp*r privil*** v*li**tion w**n *pplyin* *nvoy *xt*nsions *on*i*ur** vi* s*rvi**-****ults. T** **visory in*i**t*s L*m*** *n* Lu* *xt*nsions s**r** *on*i*ur*tion lo*i* t**t in*orr**tly *llow** s*rvi**:writ* *ol**rs to m