Vulnerability Description
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Consul | < 1.8.15 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalatiVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://www.hashicorp.com/blog/category/consulProductVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2021-22-consul-raft-rpc-privilege-escalatiVendor Advisory
- https://security.gentoo.org/glsa/202207-01Third Party Advisory
- https://www.hashicorp.com/blog/category/consulProductVendor Advisory
FAQ
What is CVE-2021-37219?
CVE-2021-37219 is a vulnerability with a CVSS score of 8.8 (HIGH). HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation....
How severe is CVE-2021-37219?
CVE-2021-37219 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-37219?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.