CVE-2022-29153

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

Published: Apr 19, 2022
Updated: May 9, 2024
CVE: CVE-2022-29153
GHSA: GHSA-q6h7-4qgw-2j9p
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-918

Affected Software
References

Software	From	Fixed in
hashicorp / consul	1.11.0	1.11.5
hashicorp / consul	1.10.0	1.10.10
hashicorp / consul	-	1.9.17
fedoraproject / fedora	37	37.x
github.com/hashicorp/consul	-	1.9.17
github.com/hashicorp/consul	1.10.0	1.10.10
github.com/hashicorp/consul	1.11.0	1.11.5

https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
https://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
https://security.gentoo.org/glsa/202208-09
https://security.netapp.com/advisory/ntap-20220602-0005/

Vulnerability Database

289,871

CVE-2022-29153