CVE-2022-29153
published 2022-04-19CVE-2022-29153: HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.52%
94.4th percentile
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| fedoraproject | fedora | — | — |
| github.com | hashicorp_consul | >= 0 < 1.9.17 | 1.9.17 |
| github.com | hashicorp_consul | >= 1.10.0 < 1.10.10 | 1.10.10 |
| github.com | hashicorp_consul | >= 1.11.0 < 1.11.5 | 1.11.5 |
| hashicorp | consul | < 1.9.17 | 1.9.17 |
| hashicorp | consul | >= 1.10.0 < 1.10.10 | 1.10.10 |
| hashicorp | consul | >= 1.11.0 < 1.11.5 | 1.11.5 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP 400 response body contains: unknown field "disable_redirects"
- →Probe for vulnerable Consul versions by sending a PUT to /v1/agent/check/register with a JSON body containing the 'disable_redirects' field. A vulnerable instance returns HTTP 400 with the body containing 'unknown field "disable_redirects"', indicating the field is not recognized and redirect-following cannot be disabled. ↗
- →The attack vector is the HTTP health check registration endpoint. Monitor for unexpected PUT requests to /v1/agent/check/register containing an 'http' field pointing to internal/SSRF-target addresses. ↗
- →Use Shodan/FOFA queries to identify exposed Consul instances as potential targets: Shodan 'title:"Consul by HashiCorp"' or 'http.title:"consul by hashicorp"'; FOFA 'title="consul by hashicorp"'; Google 'intitle:"consul by hashicorp"'. ↗
- →Consul client agent follows HTTP redirects returned by HTTP health check endpoints by default. Monitor outbound HTTP requests originating from the Consul agent process to unexpected internal or external destinations triggered by health check evaluations. ↗
- ·The 'disable_redirects' option in HTTP health check configuration is the mitigation for this SSRF. Vulnerable versions do not recognize this field (returning HTTP 400 with 'unknown field "disable_redirects"'), meaning redirect-following cannot be disabled without upgrading. ↗
- ·Only the Consul client agent is affected; the vulnerability arises specifically from the client agent following HTTP redirects during health checks. Fixed versions are 1.9.17, 1.10.10, and 1.11.5. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
osv·2024-08-21
CVE-2022-29153 Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
OSV
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
osv·2022-04-20·CVSS 7.5
CVE-2022-29153 [HIGH] Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.
GHSA
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
ghsa·2022-04-20·CVSS 7.5
CVE-2022-29153 [HIGH] CWE-918 Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.
OSV
CVE-2022-29153: HashiCorp Consul and Consul Enterprise up to 1
osv·2022-04-19·CVSS 7.5
CVE-2022-29153 [HIGH] CVE-2022-29153: HashiCorp Consul and Consul Enterprise up to 1
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
VulnCheck
hashicorp consul Server-Side Request Forgery (SSRF)
vulncheck·2022·CVSS 7.5
CVE-2022-29153 [HIGH] hashicorp consul Server-Side Request Forgery (SSRF)
hashicorp consul Server-Side Request Forgery (SSRF)
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
Affected: hashicorp consul
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-29153; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-29153; https://dashboard.shadowserver.org
Red Hat
consul: Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
vendor_redhat·2022-04-19·CVSS 7.5
CVE-2022-29153 [HIGH] CWE-918 consul: Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
consul: Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
A flaw was found in the Consul and Consul Enterprise (“Consul”) where HTTP health check endpoints return an HTTP redirect, which can be abused as a vector for server-side request forgery (SSRF).
Statement: This vulnerability arises due to the HashiCorp Consul Client agent which is not used in Red Hat products. Hence, we categorized this CVE as Moderate impact.
Package: openshift-logging/logging-loki-rhel9 (Logging Subsystem for Red Hat OpenShift)
Debian
CVE-2022-29153: consul - HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allo...
vendor_debian·2022·CVSS 7.5
CVE-2022-29153 [HIGH] CVE-2022-29153: consul - HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allo...
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
Scope: local
bullseye: open
No detection rules found.
Nuclei
HashiCorp Consul/Consul Enterprise - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2022-29153 [HIGH] HashiCorp Consul/Consul Enterprise - Server-Side Request Forgery
HashiCorp Consul/Consul Enterprise - Server-Side Request Forgery
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11 are susceptible to server-side request forgery. When redirects are returned by HTTP health check endpoints, Consul follows these HTTP redirects by default. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-29153
info:
name: HashiCorp Consul/Consul Enterprise - Server-Side Request Forgery
author: c-sh0
severity: high
description: |
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11 are susceptible to server-side request forgery. When redirects are returned by HTTP health check endpoints, Consul follows the
No writeups or analysis indexed.
https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/https://security.gentoo.org/glsa/202208-09https://security.netapp.com/advisory/ntap-20220602-0005/https://discuss.hashicorp.comhttps://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/https://security.gentoo.org/glsa/202208-09https://security.netapp.com/advisory/ntap-20220602-0005/
2022-04-19
Published
Exploited in the wild