ALT-PU-2024-18503-1

BDU:2024-09879

MEDIUM5.8

Уязвимость инструмента настройки сервисов Consul Community Edition и Consul Enterprise, связанная с непринятием мер по нейтрализации заголовков HTTP для синтаксиса сценариев, позволяющая нарушителю получить достпу к конфиденциальной информации

Published: 2024-11-19

CVSS 3.xMEDIUM 5.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

References

CVE-2024-10006

BDU:2024-10201

HIGH8.1

Уязвимость инструмента настройки сервиса Consul, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю обойти ограничения безопасности

Published: 2024-11-25

CVSS 3.xHIGH 8.1

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 2.0HIGH 8.5

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N

References

CVE-2024-10005

CVE-2024-10005

MEDIUM5.8

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

Published: 2024-10-30Modified: 2025-01-10

CVSS 3.xMEDIUM 5.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References

CVE-2024-10006

MEDIUM5.8

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

Published: 2024-10-30Modified: 2025-01-10

CVSS 3.xMEDIUM 5.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References

GHSA-5c4w-8hhh-3c3h

MEDIUM6.9

Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability

Published: 2024-10-31Modified: 2025-01-10

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

References

GHSA-chgm-7r52-whjj

HIGH8.6

Hashicorp Consul Path Traversal vulnerability

Published: 2024-10-31Modified: 2025-01-10

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0HIGH 8.6

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Package update consul in branch sisyphus

Closed issues (6)

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability

Hashicorp Consul Path Traversal vulnerability