Vulnerability Details CVE-2021-28156
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 71.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369
- https://security.gentoo.org/glsa/202208-09
- https://www.hashicorp.com/blog/category/consul
- https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369
- https://security.gentoo.org/glsa/202208-09
- https://www.hashicorp.com/blog/category/consul
Products affected by CVE-2021-28156
-
cpe:2.3:a:hashicorp:consul:1.8.0
-
cpe:2.3:a:hashicorp:consul:1.8.1
-
cpe:2.3:a:hashicorp:consul:1.8.2
-
cpe:2.3:a:hashicorp:consul:1.8.3
-
cpe:2.3:a:hashicorp:consul:1.8.4
-
cpe:2.3:a:hashicorp:consul:1.8.5
-
cpe:2.3:a:hashicorp:consul:1.8.6
-
cpe:2.3:a:hashicorp:consul:1.8.7
-
cpe:2.3:a:hashicorp:consul:1.8.8
-
cpe:2.3:a:hashicorp:consul:1.8.9
-
cpe:2.3:a:hashicorp:consul:1.9.0
-
cpe:2.3:a:hashicorp:consul:1.9.1
-
cpe:2.3:a:hashicorp:consul:1.9.2
-
cpe:2.3:a:hashicorp:consul:1.9.3
-
cpe:2.3:a:hashicorp:consul:1.9.4