Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.

Affected Packages

Go github.com/hashicorp/consul

Affected versions: 1.15.0 (fixed in 1.15.3)

Related CVEs

CVE-2023-2816

Key Information

GHSA ID

GHSA-rqjq-ww83-wv5c

Published

June 3, 2023 12:30 AM

Last Modified

June 6, 2023 2:04 AM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/hashicorp/consul

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.