CVE-2021-41803: 
Consul vulnerability analysis and mitigation

HashiCorp Consul versions 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 contain a vulnerability in the auto-config feature that allows specially crafted requests to generate TLS certificates and ACL tokens for unintended node names. The vulnerability was discovered internally by the Consul engineering team and was fixed in versions 1.11.9, 1.12.5, and 1.13.2 (HashiCorp Discuss).

The vulnerability affects Consul's auto-config feature, which enables distribution of security material and configuration settings to Consul agents in a datacenter. The issue stems from improper validation of node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC. Client agents use JSON web tokens (JWTs) to securely retrieve gossip encryption keys, TLS certificates, ACL settings, and other configuration properties from server agents (HashiCorp Discuss).

An attacker could craft specific auto-config requests that would allow TLS certificates and ACL tokens to be generated for node names not intended by the operator. This forces Consul to store unintended information, which can be repeatedly abused to cause an authenticated denial of service attack from a malicious operator (HashiCorp Discuss).

Organizations using affected versions of Consul, particularly those using the auto-config feature, should upgrade to the fixed versions: Consul 1.11.9, 1.12.5, 1.13.2, or newer. No alternative workarounds have been provided (HashiCorp Discuss).