{"api_version":"1","generated_at":"2026-04-23T02:37:23+00:00","cve":"CVE-2021-41803","urls":{"html":"https://cve.report/CVE-2021-41803","api":"https://cve.report/api/cve/CVE-2021-41803.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41803","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41803"},"summary":{"title":"CVE-2021-41803","description":"HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.\"","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-09-23 01:15:00","updated_at":"2023-11-07 03:39:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627","name":"https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627","refsource":"MISC","tags":[],"title":"HCSEC-2022-19 - Consul Auto-Config JWT Authorization Missing Input Validation - Security - HashiCorp Discuss","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/","name":"FEDORA-2023-cf3551046d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: moby-engine-24.0.5-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/","name":"FEDORA-2023-b9c1d0e4c5","refsource":"","tags":[],"title":"[SECURITY] Fedora 39 Update: moby-engine-24.0.5-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/","name":"FEDORA-2023-9f5f1ef40a","refsource":"","tags":[],"title":"[SECURITY] Fedora 38 Update: moby-engine-24.0.5-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/","name":"FEDORA-2023-9f5f1ef40a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 38 Update: moby-engine-24.0.5-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.hashicorp.com/blog/category/consul","name":"https://www.hashicorp.com/blog/category/consul","refsource":"MISC","tags":[],"title":"HashiCorp Blog: Consul","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/","name":"FEDORA-2023-b9c1d0e4c5","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 39 Update: moby-engine-24.0.5-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/","name":"FEDORA-2023-cf3551046d","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: moby-engine-24.0.5-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41803","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41803","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"consul","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"consul","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"consul","cpe6":"1.12.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"consul","cpe6":"1.12.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"consul","cpe6":"1.13.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41803","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"hashicorp","cpe5":"consul","cpe6":"1.13.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-41803","qid":"285289","title":"Fedora Security Update for moby (FEDORA-2023-b9c1d0e4c5)"},{"cve":"CVE-2021-41803","qid":"502524","title":"Alpine Linux Security Update for consul"},{"cve":"CVE-2021-41803","qid":"502836","title":"Alpine Linux Security Update for consul"},{"cve":"CVE-2021-41803","qid":"997920","title":"GO (Go) Security Update for github.com/hashicorp/consul (GHSA-hr3v-8cp3-68rf)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-41803","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Fixed in 1.11.9, 1.12.5, and 1.13.2.\""}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.hashicorp.com/blog/category/consul","refsource":"MISC","name":"https://www.hashicorp.com/blog/category/consul"},{"refsource":"MISC","name":"https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627","url":"https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627"},{"refsource":"FEDORA","name":"FEDORA-2023-9f5f1ef40a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI/"},{"refsource":"FEDORA","name":"FEDORA-2023-cf3551046d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC/"},{"refsource":"FEDORA","name":"FEDORA-2023-b9c1d0e4c5","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNF4OLYZRQE75EB5TW5N42FSXHBXGWFE/"}]}},"nvd":{"publishedDate":"2022-09-23 01:15:00","lastModifiedDate":"2023-11-07 03:39:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:consul:1.12.4:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:consul:1.13.1:*:*:*:enterprise:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:consul:1.12.4:*:*:*:-:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:consul:1.13.1:*:*:*:-:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"1.8.1","versionEndExcluding":"1.11.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*","versionStartIncluding":"1.8.1","versionEndExcluding":"1.11.9","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41803","Ordinal":"217618","Title":"CVE-2021-41803","CVE":"CVE-2021-41803","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41803","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}