HCSEC-2024-22

**Bulletin ID:** HCSEC-2024-22 **Affected Products / Versions:** Consul Community Edition from 1.9.0 up to 1.20.0, fixed in 1.20.1. Consul Enterprise from 1.9.0 up to 1.20.0, 1.19.2, 1.18.4, 1.15.14, fixed in 1.20.1, 1.19.3, 1.18.5, and 1.15.15. **Publication Date:** October 30, 2024 **Summary** A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. This vulnerability, identified as CVE-2024-10005, is fixed in Consul Community Edition 1.20.1 and Consul Enterprise 1.20.1, 1.19.3, 1.18.5, and 1.15.15. **Background** [Intentions](https://developer.hashicorp.com/consul/docs/connect/intentions) control traffic communication between services at the network layer, also called L4 traffic, or the application layer, also called L7 traffic. For destination services using an HTTP-based protocol, the [L7 traffic intentions](https://developer.hashicorp.com/consul/docs/connect/intentions#l7-traffic-intentions) can enforce access based on application-aware request attributes to control traffic between services based on [service intention configuration](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-intentions). Paths are part of [HTTP permissions](https://developer.hashicorp.com/consul/docs/connect/config-entries/service-intentions#sources-permissions-http) configurable in the L7 intentions to control traffic based on matching one or more provided values. **Details** Consul allows administrators to implement application-aware controls called L7 intentions to configure deny- and allow-list based rules. Due to a lack of path normalization, a vulnerability was identified where URL-encoded paths and/or multiple slashes could be exploited to bypass permissions defined in the intentions. **Remediation** Customers using application aware (L7) intentions should evaluate the risk associated with this issue and consider upgrading to Consul 1.20.1, 1.19.3, 1.18.5, 1.15.15, or newer and updating [request normalization configuration](https://developer.hashicorp.com/consul/docs/connect/config-entries/mesh#request-normalization) based on their specific requirements. All versions of Consul released going forward, including the fix versions noted above, will have basic path normalization enabled by default. See Consul’s [Security](https://developer.hashicorp.com/consul/docs/connect/security#request-normalization-configured-for-l7-intentions) and [Upgrading](https://developer.hashicorp.com/consul/docs/upgrading) documentation for general guidance on this process. **Acknowledgement** This issue was identified by HashiCorp‘s external security assessment partner and Consul engineering teams. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*