CVE-2021-32574
Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul
7.5
HIGH
CVSS 3.1
EPSS 0.80%
Description
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
How to fix CVE-2021-32574
To remediate CVE-2021-32574, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.14 or later
- —no fix listed
- —upgrade to 1.10.1 or later
- —upgrade to 1.10.1 or later
Is CVE-2021-32574 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 1.3.0, < 1.8.14, >= 1.9.0, < 1.9.8, >= 1.10.0, < 1.10.1
- from 0
- from 0, < 1.10.1
- from 0, < 1.10.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |