CVE-2024-10006Improper Neutralization of HTTP Headers for Scripting Syntax in Consul

CWE-644Improper Neutralization of HTTP Headers for Scripting SyntaxCWE-116Improper Encoding or Escaping of OutputCWE-204Observable Response Discrepancy10 documents6 sources
Severity
5.8MEDIUMNVD
GHSA7.5
EPSS
0.0%
top 89.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Hashicorp ConsulHashicorp Consul EnterpriseGithub.com Hashicorp Consul+2 more
Timeline
PublishedOct 30
Latest updateNov 4

Description

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

CVEListV5hashicorp/consul_enterprise1.9.01.20.1
CVEListV5hashicorp/consul1.9.01.20.1
NVDhashicorp/consul1.4.11.20.1+4
Gogithub.com/hashicorp_consul1.9.01.20.1
debiandebian/consul

🔴Vulnerability Details

6
OSV
Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in github.com/hashicorp/consul2024-11-04
OSV
Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability2024-10-31
GHSA
Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability2024-10-31
OSV
CVE-2024-10006: A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header ba2024-10-30
OSV
Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService2024-04-02

📋Vendor Advisories

2
Red Hat
hashicorp/consul: consul: Consul L7 Intentions Vulnerable To Headers Bypass2024-10-30
Debian
CVE-2024-10006: consul - A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such t...2024

🕵️Threat Intelligence

1
Wiz
CVE-2026-2808 Impact, Exploitability, and Mitigation Steps | Wiz