Consul: Remote Proxy Modification via Envoy Extensions (CVE-2023-2816)
CVE-2023-2816 Published on June 2, 2023
Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
Weakness Type
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Products Associated with CVE-2023-2816
Want to know whenever a new CVE is published for HashiCorp Consul? stack.watch will email you.
Affected Versions
HashiCorp Consul:- Version 1.15.0 is affected.
- Version 1.15.1 is affected.
- Version 1.15.2 is affected.
- Version 1.15.0 is affected.
- Version 1.15.1 is affected.
- Version 1.15.2 is affected.
- Version 1.15.0, <= 1.15.2 is affected.
- Version 1.15.0, <= 1.15.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.