CVE-2023-2816
8.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HashiCorp | Consul | 1.15.0 | affected |
| HashiCorp | Consul | 1.15.1 | affected |
| HashiCorp | Consul | 1.15.2 | affected |
| HashiCorp | Consul Enterprise | 1.15.0 | affected |
| HashiCorp | Consul Enterprise | 1.15.1 | affected |
| HashiCorp | Consul Enterprise | 1.15.2 | affected |
Weaknesses
- CWE-266: CWE-266: Incorrect Privilege Assignment
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.