CVE-2021-36213 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	In HashiCorp Consul before version 1.9.8, xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2171	consul	1.9.7-1	1.9.8-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
27 Jul 2021	ASA-202107-69	AVG-2171	consul	Medium	multiple issues

References
https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855 https://github.com/hashicorp/consul/pull/10619 https://github.com/hashicorp/consul/pull/10620 https://github.com/hashicorp/consul/commit/3ca24425ef7ad223077269a42041622f269ef5d0

References

https://discuss.hashicorp.com/t/hcsec-2021-16-consul-s-application-aware-intentions-deny-action-fails-open-when-combined-with-default-deny-policy/26855
https://github.com/hashicorp/consul/pull/10619
https://github.com/hashicorp/consul/pull/10620
https://github.com/hashicorp/consul/commit/3ca24425ef7ad223077269a42041622f269ef5d0