CVE-2024-10005: 
Consul vulnerability analysis and mitigation

A vulnerability (CVE-2024-10005) was identified in HashiCorp Consul and Consul Enterprise that allows bypassing HTTP request path-based access rules through URL paths in L7 traffic intentions. The vulnerability affects Consul Community Edition versions from 1.4.1 to 1.20.0 and Consul Enterprise versions from 1.9.0 to 1.20.0. This issue was discovered and disclosed on October 30, 2024 (HashiCorp Advisory).

The vulnerability stems from a lack of path normalization in Consul's L7 traffic intentions system. URL-encoded paths and/or multiple slashes could be exploited to bypass permissions defined in the intentions. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N by NIST, while HashiCorp assessed it with a score of 8.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

Successful exploitation of this vulnerability could lead to unauthorized access through bypass of HTTP request path-based access rules, potentially resulting in the addition or modification of data. The vulnerability affects the application-aware controls (L7 intentions) used to configure deny- and allow-list based rules (HashiCorp Advisory, NetApp Advisory).

The vulnerability has been fixed in Consul Community Edition 1.20.1 and Consul Enterprise versions 1.20.1, 1.19.3, 1.18.5, and 1.15.15. All versions released after these fixes have basic path normalization enabled by default. Organizations using application-aware (L7) intentions should evaluate their risk and consider upgrading to the fixed versions (HashiCorp Advisory).