CVE-2021-32574

Severity CVSS v4.0:
Pending analysis
Type:
CWE-295 Improper Certificate Validation
Publication date:
17/07/2021
Last modified:
25/10/2022

Description

HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:* 1.3.0 (including) 1.8.14 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* 1.3.0 (including) 1.8.14 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:* 1.9.0 (including) 1.9.8 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* 1.9.0 (including) 1.9.8 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:* 1.10.0 (including) 1.10.1 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* 1.10.0 (including) 1.10.1 (excluding)