CVE-2022-29153 Scanner
Detects 'Server-Side-Request-Forgery (SSRF)' vulnerability in HashiCorp Consul and Consul Enterprise affects v. up to 1.9.16, 1.10.9, and 1.11.4.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 sec
Scan only one
Domain, Ipv4
Toolbox
-
HashiCorp Consul and Consul Enterprise are widely used products for service networking, providing a solution for managing and balancing the traffic between services. They are designed to make service-to-service communication secure and automated across any cloud or runtime. These products offer features such as service discovery, service segmentation, network federation, and service mesh architecture to optimize application delivery and scalability.
However, these products recently experienced a vulnerability known as CVE-2022-29153. This vulnerability allows server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Cyber attackers can exploit this vulnerability to bypass security restrictions, launch malicious code, and execute arbitrary requests on behalf of the user or server. The vulnerability was initially detected in HashiCorp Consul and Consul Enterprise versions up to 1.9.16, 1.10.9, and 1.11.4.
If this vulnerability is exploited, it can lead to serious security implications for an organization. Cyber attackers can gain unauthorized access to sensitive company data and make unauthorized changes, compromising the security and integrity of the system. The security of an organization's digital assets may be put at risk due to exploitable system vulnerabilities. As a result, businesses could suffer from financial losses, damage to their reputation, and loss of credibility.
Thanks to the pro features of the securityforeveryone.com platform, readers can easily and quickly learn about vulnerabilities in their digital assets. The platform offers comprehensive security services such as vulnerability assessments, penetration testing, and secure code review for applications, providing a complete analysis of systems and networks. By leveraging this platform, businesses can ensure the highest level of protection for their digital assets.
REFERENCES
- https://discuss.hashicorp.com
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
- https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
- https://security.gentoo.org/glsa/202208-09
- https://security.netapp.com/advisory/ntap-20220602-0005/
control security posture