CVE-2022-29153
- Source
- https://cve.org/CVERecord?id=CVE-2022-29153
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29153.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-29153
- Aliases
- Downstream
- Related
- Published
- 2022-04-19T16:17:10.493Z
- Modified
- 2026-03-15T22:45:20.920733Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
- References
-
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
- https://security.gentoo.org/glsa/202208-09
- https://security.netapp.com/advisory/ntap-20220602-0005/
- https://discuss.hashicorp.com
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
Affected packages
Git / github.com/hashicorp/consul
Affected ranges
- Type
- GIT
- Repo
- https://github.com/hashicorp/consul
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "1.9.17" }, { "introduced": "0" }, { "fixed": "1.9.17" }, { "introduced": "1.10.0" }, { "fixed": "1.10.10" }, { "introduced": "1.10.0" }, { "fixed": "1.10.10" }, { "introduced": "1.11.0" }, { "fixed": "1.11.5" }, { "introduced": "1.11.0" }, { "fixed": "1.11.5" } ] }
Affected versions
api/v1.*
api/v1.10.1
api/v1.11.0
api/v1.9.1
v1.*
v1.10.0
v1.10.1
v1.10.1-beta1
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.10.6
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "37"
}
]
}
]
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "vendor/golang.org/x/sys/windows/svc/go12.c",
"function": "getServiceMain"
},
"id": "CVE-2022-29153-879395e3",
"deprecated": false,
"source": "https://github.com/hashicorp/consul/commit/4897b16abf192942d1e1d2ffa109bf17b2431e9a",
"digest": {
"function_hash": "225317901477249729494134811144870005602",
"length": 70.0
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "vendor/golang.org/x/sys/windows/svc/go12.c"
},
"id": "CVE-2022-29153-b4ece981",
"deprecated": false,
"source": "https://github.com/hashicorp/consul/commit/4897b16abf192942d1e1d2ffa109bf17b2431e9a",
"digest": {
"line_hashes": [
"256583600554463539148930116124932445705",
"215287019700456698686835537123340634199",
"193698546486110730786644032007229432146",
"167770271410007702630251784307030380628",
"115866399525178034116990990099900723636",
"135468191340498336839464822719984042332",
"15784844586285584557691726115284778742",
"196131711885107743482433482515939196286",
"69781703775953688689542309171812586026",
"176019186644152124551599365379880885146"
],
"threshold": 0.9
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29153.json"