CVE-2023-2816

CVSS V2 None CVSS V3 None

Description

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Overview

CVE ID
CVE-2023-2816

Assigner
HashiCorp

Vulnerability Status
PUBLISHED

Published Version
2023-06-02T22:43:34.553Z

Last Modified Date
2023-06-02T22:43:34.553Z

Weakness Enumerations

CWE	URL
CWE-284	http://cwe.mitre.org/data/definitions/284.html

References

Reference URL	Reference Tags
https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-2816
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2816

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 21:58:54				Added to TrackCVE