CVE-2021-41805: Incorrect Authorization

December 12, 2021 (updated March 31, 2022)

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

References

discuss.hashicorp.com/t/hcsec-2021-29-consul-enterprise-namespace-default-acls-allow-privilege-escalation/31871
nvd.nist.gov/vuln/detail/CVE-2021-41805
security.netapp.com/advisory/ntap-20211229-0007/
www.hashicorp.com/blog/category/consul

Code Behaviors & Features

Detect and mitigate CVE-2021-41805 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →