HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
https://security.netapp.com/advisory/ntap-20220602-0005/
https://security.gentoo.org/glsa/202208-09
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
https://discuss.hashicorp.com
Source: Mitre, NVD
Published: 2022-04-19
Updated: 2024-11-21
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
Severity: Medium
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: High
EPSS: 0.88401