Bulletin ID: HCSEC-2024-24
Affected Products / Versions:
Consul Community Edition from 1.4.1 up to 1.19.2; fixed in 1.20.0.
Consul Enterprise from 1.4.1 up to 1.19.2, 1.18.4, 1.15.14; fixed in 1.20.0, 1.19.3, 1.18.5, and 1.15.15.
Publication Date: October 30, 2024
Summary
A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. This vulnerability, identified as CVE-2024-10086, is fixed in Consul Community Edition 1.20.0 and Consul Enterprise 1.20.0, 1.19.3, 1.18.5, and 1.15.15.
Background
Consul provides an HTTP server, using Go’s net/http package, from which the Consul API and web UI are served.
When the Content-Type HTTP header is not explicitly set in an HTTP response, Go’s net/http attempts to guess and set the Content-Type of the HTTP response based on the HTTP request body content value.
Details
The Consul HTTP server response did not explicitly specify a Content-Type header, which allowed user-provided inputs to be interpreted as a different content-type. This vulnerability can be exploited by attackers to perform reflected XSS attacks, leading to potential account takeovers.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul 1.20.0, 1.19.3, 1.18.5, 1.15.15 or newer.
Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by HashiCorp‘s external security assessment partner and Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.