51 lines
1.6 KiB
YAML
51 lines
1.6 KiB
YAML
id: CVE-2022-29153
|
|
|
|
info:
|
|
name: HashiCorp Consul/Enterprise - Server Side Request Forgery
|
|
author: c-sh0
|
|
severity: high
|
|
description: |
|
|
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Consul follows HTTP redirects by default. HTTP + Interval health check configuration now provides a disable_redirects option to prohibit this behavior.
|
|
reference:
|
|
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
|
|
- https://github.com/hashicorp/consul/pull/12685
|
|
- https://developer.hashicorp.com/consul/docs/discovery/checks
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-29153
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2022-29153
|
|
cwe-id: CWE-918
|
|
metadata:
|
|
shodan-query: title:"Consul by HashiCorp"
|
|
verified: "true"
|
|
tags: cve,cve2022,consul,hashicorp,ssrf
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
PUT /v1/agent/check/register HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
|
|
{
|
|
"id": "{{randstr}}",
|
|
"name": "{{randstr}}",
|
|
"method": "GET",
|
|
"http": "/dev/null",
|
|
"interval": "10s",
|
|
"timeout": "1s",
|
|
"disable_redirects": true
|
|
}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- unknown field "disable_redirects"
|
|
|
|
- type: status
|
|
status:
|
|
- 400
|