CVE-2024-10006: 
Consul vulnerability analysis and mitigation

A vulnerability (CVE-2024-10006) was identified in Consul and Consul Enterprise that allows bypassing HTTP header-based access rules through L7 traffic intentions. The vulnerability affects Consul Community Edition versions from 1.4.1 to 1.20.0 and Consul Enterprise versions from 1.9.0 to 1.20.0, 1.19.2, 1.18.4, and 1.15.14. The issue was discovered and disclosed on October 30, 2024 (HashiCorp Advisory).

The vulnerability stems from a lack of header normalization in Consul's L7 intentions implementation. Multiple headers and case-sensitivity issues could be exploited to bypass permissions defined in the intentions. The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (MEDIUM) by NIST with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N, while HashiCorp assessed it with a higher score of 8.3 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L (NVD).

Successful exploitation of this vulnerability could lead to the bypass of HTTP header-based access rules, potentially resulting in unauthorized access and modification of data. The vulnerability affects the application-aware controls in L7 intentions, compromising the intended access control mechanisms (NetApp Advisory).

The vulnerability has been fixed in Consul Community Edition 1.20.1 and Consul Enterprise versions 1.20.1, 1.19.3, 1.18.5, and 1.15.15. Organizations using application-aware (L7) intentions should evaluate their risk and upgrade to the fixed versions. Additionally, administrators should update L7 HTTP Headers intentions to ensure match rules are resilient to circumvention (HashiCorp Advisory).