Vulnerability Description
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Consul | >= 1.3.0, < 1.8.14 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-dVendor Advisory
- https://github.com/hashicorp/consul/releases/tag/v1.10.1Third Party Advisory
- https://security.gentoo.org/glsa/202208-09Third Party Advisory
- https://www.hashicorp.com/blog/category/consulVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-dVendor Advisory
- https://github.com/hashicorp/consul/releases/tag/v1.10.1Third Party Advisory
- https://security.gentoo.org/glsa/202208-09Third Party Advisory
- https://www.hashicorp.com/blog/category/consulVendor Advisory
FAQ
What is CVE-2021-32574?
CVE-2021-32574 is a vulnerability with a CVSS score of 7.5 (HIGH). HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8...
How severe is CVE-2021-32574?
CVE-2021-32574 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32574?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.