CVE-2021-36213

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
17/07/2021
Last modified:
14/09/2022

Description

HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:* 1.9.0 (including) 1.9.8 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* 1.9.0 (including) 1.9.8 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:* 1.10.0 (including) 1.10.1 (excluding)
cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:* 1.10.0 (including) 1.10.1 (excluding)