CVE-2022-29153
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul
7.5
HIGH
CVSS 3.1
EPSS 87.8%
Description
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
How to fix CVE-2022-29153
To remediate CVE-2022-29153, upgrade the affected package to a fixed version below.
- —upgrade to 1.9.17 or later
- —no fix listed
- —upgrade to 1.9.17 or later
- —upgrade to 1.9.17 or later
Is CVE-2022-29153 being exploited?
Likely — EPSS is 87.8%, placing CVE-2022-29153 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 1.9.17, >= 1.10.0, < 1.10.10, >= 1.11.0, < 1.11.5
- from 0
- from 0, < 1.9.17
- from 0, < 1.9.17, >= 1.10.0, < 1.10.10, >= 1.11.0, < 1.11.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |