{"id":"GO-2024-2683","summary":"Improper handling of node names in JWT claims assertions in github.com/hashicorp/consul","details":"HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.","aliases":["BIT-consul-2021-41803","CVE-2021-41803","GHSA-hr3v-8cp3-68rf"],"modified":"2026-02-04T03:54:48.662373Z","published":"2024-04-05T16:54:12Z","related":["CGA-fgx3-5chv-rcq5"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-2683","review_status":"REVIEWED"},"references":[{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627"},{"type":"FIX","url":"https://github.com/hashicorp/consul/pull/14577/commits/2c881259ce10e308ff03afc968c4165998fd7fee"}],"affected":[{"package":{"name":"github.com/hashicorp/consul","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/consul"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.8.1"},{"fixed":"1.11.9"},{"introduced":"1.12.0"},{"fixed":"1.12.5"},{"introduced":"1.13.0"},{"fixed":"1.13.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["AutoConfig.InitialConfiguration","jwtAuthorizer.Authorize"],"path":"github.com/hashicorp/consul/agent/consul"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-2683.json"}}],"schema_version":"1.7.3","credits":[{"name":"anonymous4ACL24"}]}