CVE-2023-3518: Improper Authorization

August 9, 2023 (updated August 16, 2023)

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

References

discuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004
github.com/hashicorp/consul/pull/18062
nvd.nist.gov/vuln/detail/CVE-2023-3518

Code Behaviors & Features

Detect and mitigate CVE-2023-3518 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →