Vulnerability Description
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Consul | >= 1.9.0, < 1.9.8 |
References
- https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentiVendor Advisory
- https://github.com/hashicorp/consul/releases/tag/v1.10.1Release NotesThird Party Advisory
- https://security.gentoo.org/glsa/202208-09Third Party Advisory
- https://www.hashicorp.com/blog/category/consulProductVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentiVendor Advisory
- https://github.com/hashicorp/consul/releases/tag/v1.10.1Release NotesThird Party Advisory
- https://security.gentoo.org/glsa/202208-09Third Party Advisory
- https://www.hashicorp.com/blog/category/consulProductVendor Advisory
FAQ
What is CVE-2021-36213?
CVE-2021-36213 is a vulnerability with a CVSS score of 7.5 (HIGH). HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, al...
How severe is CVE-2021-36213?
CVE-2021-36213 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36213?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.