CVE-2022-29153
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- April 13, 2022
- Published Date
- April 19, 2022
- Last Updated
- August 03, 2024
- Vendor
- HashiCorp
- Product
- Consul & Consul Enterprise
- Description
- HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
- Tags
- Score
- 87.42% (Percentile: 99.41%) as of 2025-06-14
- Exploited in the Wild
- Yes (2025-05-31 00:00:00 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
7.5 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS v2.0
5.0
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Score
Exploit Status
References
https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393
https://security.netapp.com/advisory/ntap-20220602-0005/
https://security.gentoo.org/glsa/202208-09
https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-06-01 12:00:38 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-29153.yaml | 2025-04-26 00:00:00 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel