{"id":"CVE-2023-2816","details":"Consul and Consul Enterprise allowed any user with service:write permissions to use Envoy extensions configured via service-defaults to patch remote proxy instances that target the configured service, regardless of whether the user has permission to modify the service(s) corresponding to those modified proxies.","aliases":["BIT-consul-2023-2816","GHSA-rqjq-ww83-wv5c","GO-2023-1828"],"modified":"2026-03-14T11:59:53.291114Z","published":"2023-06-02T23:15:09.503Z","references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2023-16-consul-envoy-extension-downstream-proxy-configuration-by-upstream-service-owner/54525"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/consul","events":[{"introduced":"53f65dc3ef58fa99048927ec6f3aee576f6cd718"},{"fixed":"7ce982ce1846ca14e567a91fa7f088084e736155"},{"introduced":"53f65dc3ef58fa99048927ec6f3aee576f6cd718"},{"fixed":"7ce982ce1846ca14e567a91fa7f088084e736155"}],"database_specific":{"versions":[{"introduced":"1.15.0"},{"fixed":"1.15.3"},{"introduced":"1.15.0"},{"fixed":"1.15.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-2816.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}