CVE-2023-2816

Summary

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Affected Software

VendorProductVersion RangeStatus
HashiCorpConsul1.15.0affected
HashiCorpConsul1.15.1affected
HashiCorpConsul1.15.2affected
HashiCorpConsul Enterprise1.15.0affected
HashiCorpConsul Enterprise1.15.1affected
HashiCorpConsul Enterprise1.15.2affected

Weaknesses

  • CWE-266: CWE-266: Incorrect Privilege Assignment

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References