CVE-2023-3518 — JWT Auth in L7 Intentions Allow For Mismatched Service Identity and JWT Provider

Description

HashiCorp Consul and Consul Enterprise 1.16.0 when using JWT Auth for service mesh incorrectly allows/denies access regardless of service identities. Fixed in 1.16.1.

How to fix CVE-2023-3518

To remediate CVE-2023-3518, upgrade the affected package to a fixed version below.

Bitnami/consul—upgrade to 1.16.1 or later
—upgrade to 1.16.1 or later
—upgrade to 1.16.1 or later

Is CVE-2023-3518 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 1.16.0, < 1.16.1
>= 1.16.0, < 1.16.1
>= 1.16.0, < 1.16.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References (4)

ADVISORYgithub.com/advisories/GHSA-9rhf-q362-77mx
ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-3518
PATCHgithub.com/hashicorp/consul
WEBdiscuss.hashicorp.com/t/hcsec-2023-25-consul-jwt-auth-in-l7-intentions-allow-for-mismatched-service-identity-and-jwt-providers/57004