CVE-2022-29153
HIGH7.5EPSS 87.8%Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
Published: 4/20/2022Modified: 4/3/2025
Description
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
Affected packages (4)
- Bitnami/consulfrom 0, < 1.9.17, >= 1.10.0, < 1.10.10, >= 1.11.0, < 1.11.5
- Debian/consulfrom 0
- Go/github.com/hashicorp/consulfrom 0, < 1.9.17
- Go/github.com/hashicorp/consulfrom 0, < 1.9.17, >= 1.10.0, < 1.10.10, >= 1.11.0, < 1.11.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (14)
- ADVISORYhttps://github.com/advisories/GHSA-q6h7-4qgw-2j9p
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-29153
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-29153
- PATCHhttps://github.com/hashicorp/consul
- WEBhttps://discuss.hashicorp.com
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH
- WEBhttps://security.gentoo.org/glsa/202208-09
- WEBhttps://security.netapp.com/advisory/ntap-20220602-0005
- WEBhttps://security.netapp.com/advisory/ntap-20220602-0005/