---

CVE-2021-32574 - log back

CVE-2021-32574 edited at 20 Jul 2021 08:23:52

References

- https://github.com/hashicorp/consul/releases/tag/v1.9.8 + https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856 https://github.com/hashicorp/consul/issues/6364 https://github.com/hashicorp/consul/pull/10621 https://github.com/hashicorp/consul/pull/10623 https://github.com/hashicorp/consul/commit/2bca52fa88caedc2b6a7cc3627f3cd1f683c6d74 https://github.com/hashicorp/consul/commit/0b4fe4b7a2a7c400521248a0d548429963f4c614

CVE-2021-32574 edited at 17 Jul 2021 22:50:39
Severity	- Unknown + Low
Remote	- Unknown + Remote
Type	- Unknown + Certificate verification bypass
Description	+ HashiCorp Consul before version 1.9.8 does not validate SSL certificates correctly: xds does not ensure that the Subject Alternative Name of an upstream is validated.
References	+ https://github.com/hashicorp/consul/releases/tag/v1.9.8 + https://github.com/hashicorp/consul/issues/6364 + https://github.com/hashicorp/consul/pull/10621 + https://github.com/hashicorp/consul/pull/10623 + https://github.com/hashicorp/consul/commit/2bca52fa88caedc2b6a7cc3627f3cd1f683c6d74 + https://github.com/hashicorp/consul/commit/0b4fe4b7a2a7c400521248a0d548429963f4c614
Notes

CVE-2021-32574 created at 17 Jul 2021 22:46:09