CVE-2023-2816 (GCVE-0-2023-2816)
Vulnerability from cvelistv5 – Published: 2023-06-02 22:43 – Updated: 2024-10-07 20:12
VLAI
Title
Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner
Summary
Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.
Severity
8.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| HashiCorp | Consul |
Affected:
1.15.0
Affected: 1.15.1 Affected: 1.15.2 |
|
| HashiCorp | Consul Enterprise |
Affected:
1.15.0
Affected: 1.15.1 Affected: 1.15.2 |
|
| hashicorp | consul |
Affected:
1.15.0 , ≤ 1.15.2
(custom)
cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:-:*:*:* |
|
| hashicorp | consul |
Affected:
1.15.0 , ≤ 1.15.2
(custom)
cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:enterprise:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:-:*:*:*"
],
"defaultStatus": "unaffected",
"product": "consul",
"vendor": "hashicorp",
"versions": [
{
"lessThanOrEqual": "1.15.2",
"status": "affected",
"version": "1.15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unaffected",
"product": "consul",
"vendor": "hashicorp",
"versions": [
{
"lessThanOrEqual": "1.15.2",
"status": "affected",
"version": "1.15.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T20:11:32.907747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T20:12:01.627Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Consul",
"repo": "https://github.com/hashicorp/consul",
"vendor": "HashiCorp",
"versions": [
{
"status": "affected",
"version": "1.15.0"
},
{
"status": "affected",
"version": "1.15.1"
},
{
"status": "affected",
"version": "1.15.2"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Consul Enterprise",
"repo": "https://github.com/hashicorp/consul",
"vendor": "HashiCorp",
"versions": [
{
"status": "affected",
"version": "1.15.0"
},
{
"status": "affected",
"version": "1.15.1"
},
{
"status": "affected",
"version": "1.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eConsul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.\u003c/p\u003e\u003cbr/\u003e"
}
],
"value": "Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies."
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113: Interface Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T18:59:27.367Z",
"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"shortName": "HashiCorp"
},
"references": [
{
"url": "https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"
}
],
"source": {
"advisory": "HCSEC-2023-16",
"discovery": "INTERNAL"
},
"title": "Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner"
}
},
"cveMetadata": {
"assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"assignerShortName": "HashiCorp",
"cveId": "CVE-2023-2816",
"datePublished": "2023-06-02T22:43:34.553Z",
"dateReserved": "2023-05-19T18:11:06.618Z",
"dateUpdated": "2024-10-07T20:12:01.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-2816",
"date": "2026-06-02",
"epss": "0.00161",
"percentile": "0.36753"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*\", \"versionStartIncluding\": \"1.15.0\", \"versionEndExcluding\": \"1.15.3\", \"matchCriteriaId\": \"9D592391-F006-4F99-BF39-DAA3D2B86305\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*\", \"versionStartIncluding\": \"1.15.0\", \"versionEndExcluding\": \"1.15.3\", \"matchCriteriaId\": \"12E16E32-03E5-44B6-BAB5-8809E6E852F4\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.\"}]",
"id": "CVE-2023-2816",
"lastModified": "2024-11-21T07:59:20.730",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@hashicorp.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2023-06-02T23:15:09.503",
"references": "[{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525\", \"source\": \"security@hashicorp.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "security@hashicorp.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@hashicorp.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-266\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-2816\",\"sourceIdentifier\":\"security@hashicorp.com\",\"published\":\"2023-06-02T23:15:09.503\",\"lastModified\":\"2024-11-21T07:59:20.730\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@hashicorp.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@hashicorp.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-266\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.15.3\",\"matchCriteriaId\":\"9D592391-F006-4F99-BF39-DAA3D2B86305\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"1.15.0\",\"versionEndExcluding\":\"1.15.3\",\"matchCriteriaId\":\"12E16E32-03E5-44B6-BAB5-8809E6E852F4\"}]}]}],\"references\":[{\"url\":\"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525\",\"source\":\"security@hashicorp.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:33:05.672Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-2816\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-07T20:11:32.907747Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:-:*:*:*\"], \"vendor\": \"hashicorp\", \"product\": \"consul\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.15.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.15.2\"}], \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:2.3:a:hashicorp:consul:1.15.0:*:*:*:enterprise:*:*:*\"], \"vendor\": \"hashicorp\", \"product\": \"consul\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.15.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.15.2\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-15T14:48:42.522Z\"}}], \"cna\": {\"title\": \"Consul Envoy Extension Downsteam Proxy Configuration By Upstream Service Owner\", \"source\": {\"advisory\": \"HCSEC-2023-16\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-113\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-113: Interface Manipulation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/hashicorp/consul\", \"vendor\": \"HashiCorp\", \"product\": \"Consul\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.15.0\"}, {\"status\": \"affected\", \"version\": \"1.15.1\"}, {\"status\": \"affected\", \"version\": \"1.15.2\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/hashicorp/consul\", \"vendor\": \"HashiCorp\", \"product\": \"Consul Enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.15.0\"}, {\"status\": \"affected\", \"version\": \"1.15.1\"}, {\"status\": \"affected\", \"version\": \"1.15.2\"}], \"platforms\": [\"64 bit\", \"32 bit\", \"x86\", \"ARM\", \"MacOS\", \"Windows\", \"Linux\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eConsul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.\u003c/p\u003e\u003cbr/\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-266\", \"description\": \"CWE-266: Incorrect Privilege Assignment\"}]}], \"providerMetadata\": {\"orgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"shortName\": \"HashiCorp\", \"dateUpdated\": \"2024-09-26T18:59:27.367Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-2816\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-07T20:12:01.627Z\", \"dateReserved\": \"2023-05-19T18:11:06.618Z\", \"assignerOrgId\": \"67fedba0-ff2e-4543-ba5b-aa93e87718cc\", \"datePublished\": \"2023-06-02T22:43:34.553Z\", \"assignerShortName\": \"HashiCorp\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…