id: CVE-2022-29153

info:
  name: HashiCorp Consul/Enterprise - Server Side Request Forgery
  author: c-sh0
  severity: high
  description: |
    HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Consul follows HTTP redirects by default. HTTP + Interval health check configuration now provides a disable_redirects option to prohibit this behavior.
  reference:
    - https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
    - https://github.com/hashicorp/consul/pull/12685
    - https://developer.hashicorp.com/consul/docs/discovery/checks
    - https://nvd.nist.gov/vuln/detail/CVE-2022-29153
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2022-29153
    cwe-id: CWE-918
  metadata:
    shodan-query: title:"Consul by HashiCorp"
    verified: "true"
  tags: cve,cve2022,consul,hashicorp,ssrf

requests:
  - raw:
      - |
        PUT /v1/agent/check/register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
         "id": "{{randstr}}",
         "name": "{{randstr}}",
         "method": "GET",
         "http": "/dev/null",
         "interval": "10s",
         "timeout": "1s",
         "disable_redirects": true
        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - unknown field "disable_redirects"

      - type: status
        status:
          - 400