CVE-2021-28156: 
Consul vulnerability analysis and mitigation

HashiCorp Consul Enterprise version 1.8.0 through 1.9.4 contained a vulnerability where audit log could be bypassed by specifically crafted HTTP events. The vulnerability, identified as CVE-2021-28156, was discovered by the HashiCorp product security team and was fixed in versions 1.9.5 and 1.8.10 (HashiCorp Advisory).

The vulnerability allows an attacker to maliciously craft valid HTTP requests with specific parameters that cause HTTP events to be incorrectly excluded from Consul Enterprise's audit log. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

This vulnerability affects the audit log feature in Consul Enterprise, which is intended to capture a clear and actionable log of authenticated events (both attempted and committed). When exploited, certain HTTP events could be excluded from the audit trail, potentially impacting security monitoring and compliance requirements (HashiCorp Advisory).

Organizations using affected versions should upgrade to Consul Enterprise version 1.9.5, 1.8.10, or newer. The upgrade process should follow the general guidance and version-specific upgrade notes provided in the Consul documentation (HashiCorp Advisory).