cbcvebase.
CVE-2022-29153
published 2022-04-19

CVE-2022-29153: HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.52%
94.4th percentile
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianconsul
fedoraprojectfedora
github.comhashicorp_consul>= 0 < 1.9.171.9.17
github.comhashicorp_consul>= 1.10.0 < 1.10.101.10.10
github.comhashicorp_consul>= 1.11.0 < 1.11.51.11.5
hashicorpconsul< 1.9.171.9.17
hashicorpconsul>= 1.10.0 < 1.10.101.10.10
hashicorpconsul>= 1.11.0 < 1.11.51.11.5

Detection & IOCsextracted from sources · hover to see the quote

url/v1/agent/check/register
url/v1/agent/check/deregister/
othershodan: title:"Consul by HashiCorp"
otherfofa: title="consul by hashicorp"
sigma
HTTP 400 response body contains: unknown field "disable_redirects"
  • Probe for vulnerable Consul versions by sending a PUT to /v1/agent/check/register with a JSON body containing the 'disable_redirects' field. A vulnerable instance returns HTTP 400 with the body containing 'unknown field "disable_redirects"', indicating the field is not recognized and redirect-following cannot be disabled.
  • The attack vector is the HTTP health check registration endpoint. Monitor for unexpected PUT requests to /v1/agent/check/register containing an 'http' field pointing to internal/SSRF-target addresses.
  • Use Shodan/FOFA queries to identify exposed Consul instances as potential targets: Shodan 'title:"Consul by HashiCorp"' or 'http.title:"consul by hashicorp"'; FOFA 'title="consul by hashicorp"'; Google 'intitle:"consul by hashicorp"'.
  • Consul client agent follows HTTP redirects returned by HTTP health check endpoints by default. Monitor outbound HTTP requests originating from the Consul agent process to unexpected internal or external destinations triggered by health check evaluations.
  • ·The 'disable_redirects' option in HTTP health check configuration is the mitigation for this SSRF. Vulnerable versions do not recognize this field (returning HTTP 400 with 'unknown field "disable_redirects"'), meaning redirect-following cannot be disabled without upgrading.
  • ·Only the Consul client agent is affected; the vulnerability arises specifically from the client agent following HTTP redirects during health checks. Fixed versions are 1.9.17, 1.10.10, and 1.11.5.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.