CVE-2022-29153
HIGH7.5EPSS 87.8%Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
發布日:2022/4/20修改日:2026/4/28
描述
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
受影響套件(4)
- Bitnami/consulfrom 0, < 1.9.17, >= 1.10.0, < 1.10.10, >= 1.11.0, < 1.11.5
- Debian/consulfrom 0
- Go/github.com/hashicorp/consulfrom 0, < 1.9.17
- Go/github.com/hashicorp/consulfrom 0, < 1.9.17, >= 1.10.0, < 1.10.10, >= 1.11.0, < 1.11.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(14)
- ADVISORYhttps://github.com/advisories/GHSA-q6h7-4qgw-2j9p
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-29153
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-29153
- PATCHhttps://github.com/hashicorp/consul
- WEBhttps://discuss.hashicorp.com
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
- WEBhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH
- WEBhttps://security.gentoo.org/glsa/202208-09
- WEBhttps://security.netapp.com/advisory/ntap-20220602-0005
- WEBhttps://security.netapp.com/advisory/ntap-20220602-0005/