CVE-2023-2816 — HIGH (8.7) — White Hats Nepal

Q: How severe is CVE-2023-2816?

CVE-2023-2816 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-2816?

Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.

Vulnerability Description

Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

CVSS Score

8.7

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Hashicorp	Consul	>= 1.15.0, < 1.15.3

Related Weaknesses (CWE)

CWE-266

References

https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-Vendor Advisory

FAQ

What is CVE-2023-2816?

CVE-2023-2816 is a vulnerability with a CVSS score of 8.7 (HIGH). Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service,...

How severe is CVE-2023-2816?

CVE-2023-2816 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-2816?

Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.