Fluid Attacks Database

Description

Hashicorp Consul Path Traversal vulnerability A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	consul	=1.10.12+dfsg1-1 \|\| =1.8.7+dfsg1-2 \|\| =1.8.7+dfsg1-3 \|\| =1.8.7+dfsg1-4 \|\| =1.8.7+dfsg1-5 \|\| =1.8.7+dfsg1-6 \|\| =1.9.17+dfsg2-1	-
go	github.com/hashicorp/consul	>=1.9.0 <1.20.1	1.20.1

Aliases

1. CVE-2024-100052. NVD-2024-100053. OSV-DEBIAN-2024-100054. OSV-2024-100055. GHSA-chgm-7r52-whjj6. GCVE-2024-100057. SECURITY-TRACKER-CVE-2024-10005

References

1. https://github.com/hashicorp/consul/pull/218162. https://github.com/hashicorp/consul/commit/d9206fc7e284a9244af4d62f8653a63ca30bd00c3. https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass4. https://security.netapp.com/advisory/ntap-20250110-0004

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.