Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-29153

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

Published

2022-04-19T16:17:10.493

Last Modified

2024-11-21T06:58:35.740

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-918

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	hashicorp	consul	< 1.9.17	Yes
Application	hashicorp	consul	< 1.9.17	Yes
Application	hashicorp	consul	< 1.10.10	Yes
Application	hashicorp	consul	< 1.10.10	Yes
Application	hashicorp	consul	< 1.11.5	Yes
Application	hashicorp	consul	< 1.11.5	Yes
Operating System	fedoraproject	fedora	37	Yes

References

https://discuss.hashicorp.com Vendor Advisory ([email protected])
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/ Vendor Advisory ([email protected])
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/ Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202208-09 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220602-0005/ Third Party Advisory ([email protected])
https://discuss.hashicorp.com Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-09 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220602-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)