VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 7, 2021· Updated Aug 4, 2024

CVE-2021-38698

CVE-2021-38698

Description

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

HashiCorp Consul's Txn.Apply endpoint allowed unauthorized proxy registration, enabling traffic interception for services; fixed in versions 1.8.15, 1.9.9, 1.10.2.

Vulnerability

Consul and Consul Enterprise versions prior to 1.8.15, 1.9.9, and 1.10.2 contain an authorization bypass vulnerability in the Txn.Apply endpoint [1][2][4]. An ACL token with service:write permissions for any service could be used to register a proxy for an arbitrary target service, bypassing the intended ACL checks [4].

Exploitation

An attacker possessing an ACL token with service:write permissions for any service could craft a Txn.Apply request to register a proxy for a different service [4]. The attacker only needs network access to the Consul HTTP API and a valid token with the minimal service:write privilege [4].

Impact

Successful exploitation allows the attacker to intercept mTLS traffic destined for the target service [4]. The proxy receives encrypted traffic meant for the target service, potentially exposing sensitive data and compromising the confidentiality of service-to-service communication [4].

Mitigation

Upgrade to Consul or Consul Enterprise 1.8.15, 1.9.9, or 1.10.2 or later [2][4]. The fix corrects ACL enforcement on the Txn.Apply endpoint to ensure that proxy registrations are properly authorized [1][4]. No workaround is available [4].

References
  1. proxycfg: Use acl.tokens.default token as a default when there is no token in the registration by dnephin · Pull Request #10824 · hashicorp/consul
  2. NVD - CVE-2021-38698
  3. HCSEC-2021-24 - Consul Missing Authorization Check on Txn.Apply Endpoint

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/hashicorp/consulGo
>= 1.10.1, < 1.10.21.10.2
github.com/hashicorp/consulGo
>= 1.9.0, < 1.9.91.9.9
github.com/hashicorp/consulGo
< 1.8.151.8.15

Affected products

27

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.