Added HashiCorp Consul / Enterprise - Server Side Request Forgery

Co-Authored-By: csh <25989137+c-sh0@users.noreply.github.com>
2023-01-08 20:56:05 +05:30 · 2023-01-08 20:56:05 +05:30 · 579c3c9796
parent e89a2a41d4
commit 579c3c9796
1 changed files with 50 additions and 0 deletions
--- a/cves/2022/CVE-2022-29153.yaml
+++ b/cves/2022/CVE-2022-29153.yaml
@ -0,0 +1,50 @@
+id: CVE-2022-29153
+
+info:
+  name: HashiCorp Consul / Enterprise - Server Side Request Forgery
+  author: c-sh0
+  severity: high
+  description: HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and
+    1.11.4 may allow server side request forgery when the Consul client agent
+    follows redirects returned by HTTP health check endpoints. Consul follows
+    HTTP redirects by default. HTTP + Interval health check configuration now
+    provides a disable_redirects option to prohibit this behavior.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-29153
+    - https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
+    - https://github.com/hashicorp/consul/pull/12685
+    - https://developer.hashicorp.com/consul/docs/discovery/checks
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2022-29153
+    cwe-id: CWE-918
+  tags: cve,cve2022,consul,ssrf,hashicorp
+
+requests:
+  - raw:
+      - |
+        PUT {{BaseURL}}/v1/agent/check/register HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {
+         "id": "{{randstr}}",
+         "name": "{{randstr}}",
+         "method": "GET",
+         "http": "/dev/null",
+         "interval": "10s",
+         "timeout": "1s",
+         "disable_redirects": true
+        }
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 400
+
+      - type: word
+        part: body
+        words:
+          - unknown field "disable_redirects"