Vulnerability Description
HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hashicorp | Consul | >= 1.8.0, < 1.8.10 |
References
- https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypassVendor Advisory
- https://security.gentoo.org/glsa/202208-09Third Party Advisory
- https://www.hashicorp.com/blog/category/consulVendor Advisory
- https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypassVendor Advisory
- https://security.gentoo.org/glsa/202208-09Third Party Advisory
- https://www.hashicorp.com/blog/category/consulVendor Advisory
FAQ
What is CVE-2021-28156?
CVE-2021-28156 is a vulnerability with a CVSS score of 7.5 (HIGH). HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.
How severe is CVE-2021-28156?
CVE-2021-28156 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28156?
Check the references section above for vendor advisories and patch information. Affected products include: Hashicorp Consul.