CVE-2023-2816 HIGH

CVE-2023-2816: Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner

Vendor Hashicorp

Product Consul

Weakness CWE-266

Published June 2, 2023

Last update October 7, 2024

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Key dates

02Disclosure timeline

June 2, 2023 CVE published

October 7, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2816 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/266.html

Related vulnerabilities

Identifiers

CVE CVE-2023-2816

CWE CWE-266

CVSS 8.7 / HIGH

Affected versions

Vendor Hashicorp

Product Consul

Affected 1.15.0

Vendor Hashicorp

Product Consul

Affected 1.15.1

Vendor Hashicorp

Product Consul

Affected 1.15.2

Vendor Hashicorp

Product Consul Enterprise

Affected 1.15.0

Vendor Hashicorp

Product Consul Enterprise

Affected 1.15.1

Vendor Hashicorp

Product Consul Enterprise

Affected 1.15.2

CVE-2023-2816: Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner

01Description

02Disclosure timeline

03References

04Related CVE