CVE-2021-28156: Audit / Logging Errors

April 20, 2021 (updated October 25, 2022)

HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.

References

discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369
nvd.nist.gov/vuln/detail/CVE-2021-28156
www.hashicorp.com/blog/category/consul

Detect and mitigate CVE-2021-28156 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →