Vulnerability Details : CVE-2021-32574
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
Exploit prediction scoring system (EPSS) score for CVE-2021-32574
Probability of exploitation activity in the next 30 days: 0.14%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 49 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-32574
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-32574
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-32574
-
https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
HCSEC-2021-17 - Consul’s Envoy TLS Configuration Did Not Validate Destination Service Subject Alternative Names - Security - HashiCorp DiscussVendor Advisory
-
https://security.gentoo.org/glsa/202208-09
HashiCorp Consul: Multiple Vulnerabilities (GLSA 202208-09) — Gentoo securityThird Party Advisory
-
https://www.hashicorp.com/blog/category/consul
HashiCorp Blog: ConsulVendor Advisory
-
https://github.com/hashicorp/consul/releases/tag/v1.10.1
Release v1.10.1 · hashicorp/consul · GitHubThird Party Advisory
Products affected by CVE-2021-32574
- cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*