Описание
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
A flaw was found in the Consul and Consul Enterprise (“Consul”) where HTTP health check endpoints return an HTTP redirect, which can be abused as a vector for server-side request forgery (SSRF).
Отчет
This vulnerability arises due to the HashiCorp Consul Client agent which is not used in Red Hat products. Hence, we categorized this CVE as Moderate impact.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/acm-grafana-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/cluster-curator-controller-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/managedcluster-import-controller-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-operator-precache-rhel8 | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odr-rhel8-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11. ...
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
Уязвимость инструмента настройки сервисов Consul и Consul Enterprise, связанная с недостаточной проверкой запросов на стороне сервера, позволяющая нарушителю осуществить атаку SSRF
EPSS
7.5 High
CVSS3