nuclei-templates/cves/2022/CVE-2022-29153.yaml

48 lines
1.5 KiB
YAML

id: CVE-2022-29153
info:
name: HashiCorp Consul/Enterprise - Server Side Request Forgery
author: c-sh0
severity: high
description: |
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Consul follows HTTP redirects by default. HTTP + Interval health check configuration now provides a disable_redirects option to prohibit this behavior.
reference:
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
- https://github.com/hashicorp/consul/pull/12685
- https://developer.hashicorp.com/consul/docs/discovery/checks
- https://nvd.nist.gov/vuln/detail/CVE-2022-29153
classification:
cve-id: CVE-2022-29153
metadata:
verified: true
shodan-query: title:"Consul by HashiCorp"
tags: cve,cve2022,consul,hashicorp,ssrf
requests:
- raw:
- |
PUT /v1/agent/check/register HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"id": "{{randstr}}",
"name": "{{randstr}}",
"method": "GET",
"http": "/dev/null",
"interval": "10s",
"timeout": "1s",
"disable_redirects": true
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- unknown field "disable_redirects"
- type: status
status:
- 400