CVE-2024-10086: 
Consul vulnerability analysis and mitigation

A vulnerability was identified in Consul and Consul Enterprise (CVE-2024-10086) where the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. The vulnerability affects Consul Community Edition versions 1.4.1 to 1.19.2 and Consul Enterprise versions from 1.4.1 to 1.19.2, 1.18.4, and 1.15.14 (HashiCorp Advisory).

The vulnerability stems from Consul's HTTP server implementation using Go's net/http package. When the Content-Type HTTP header is not explicitly set in an HTTP response, the server attempts to guess and set the Content-Type based on the HTTP request body content value. This behavior can be exploited for reflected Cross-site Scripting attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

Successful exploitation of this vulnerability could lead to reflected XSS attacks, potentially resulting in account takeovers, disclosure of sensitive information, or modification of data (HashiCorp Advisory, NetApp Advisory).

The vulnerability has been fixed in Consul Community Edition 1.20.0 and Consul Enterprise versions 1.20.0, 1.19.3, 1.18.5, and 1.15.15. Organizations are advised to evaluate the risk and upgrade to these or newer versions. Users should refer to the Consul upgrading documentation for general guidance and version-specific upgrade notes (HashiCorp Advisory).