CVE-2022-29153

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions HashiCorp Consul and Consul Enterprise versions 1.9.16 and earlier, 1.10.9 and earlier, 1.11.4 and earlier

Description A server-side request forgery issue may occur when the Consul client agent follows redirects returned by HTTP health check endpoints. This can be abused as a vector for server-side request forgery (SSRF).

Recommendations For versions 1.9.16 and earlier, update to version 1.9.17 or later. For versions 1.10.9 and earlier, update to version 1.10.10 or later. For versions 1.11.4 and earlier, update to version 1.11.5 or later. As a temporary workaround, consider restricting access to the HTTP health check endpoints to minimize the risk of exploitation.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

ALT-PU-2023-1696

ALT-PU-2023-7106

ALT-PU-2024-8028

BDU:2025-04575

BIT-CONSUL-2022-29153

CVE-2022-29153

GHSA-Q6H7-4QGW-2J9P

GO-2022-0615

MGASA-2023-0009

Affected Products

Alt Linux

Hashicorp Consul Enterprise

Debian

Hashicorp Consul

Red Os

CVE-2022-29153

Weakness Enumeration

Related Identifiers

Affected Products

References · 35