Bypassing HTTP Request Path-Based Access Rules Through URL Paths in L7 Traffic
CVE-2024-10005

5.8MEDIUM

Key Information:

Vendor: Hashicorp
Status: Consul; Consul Enterprise
Vendor: CVE Published:; 30 October 2024

Summary

A vulnerability in Consul and Consul Enterprise allows attackers to bypass HTTP request path-based access controls through the manipulation of URL paths in Layer 7 (L7) traffic intentions. This could lead to unauthorized access to sensitive resources and pose a significant risk to network security. Users are advised to review their access control configurations and apply necessary updates to mitigate potential exploits related to this issue.

Affected Version(s)

Consul 64 bit 1.9.0 < 1.20.1

Consul Enterprise 64 bit 1.9.0 < 1.20.1

References

https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-i...

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Oct 15, 2024