BIT-consul-2022-29153
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/consul/BIT-consul-2022-29153.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-consul-2022-29153
- Aliases
- Published
- 2024-03-06T10:52:10.905Z
- Modified
- 2024-08-21T15:41:42.320317Z
- Summary
- [none]
- Details
-
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
- Database specific
{ "cpes": [ "cpe:2.3:a:hashicorp:consul:*:*:*:*:-:*:*:*", "cpe:2.3:a:hashicorp:consul:*:*:*:*:enterprise:*:*:*" ], "severity": "High" }- References
-
- https://discuss.hashicorp.com
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
- https://security.gentoo.org/glsa/202208-09
- https://security.netapp.com/advisory/ntap-20220602-0005/
Affected packages
Bitnami / consul
Package
- Name
- consul
- Purl
- pkg:bitnami/consul
Severity
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator