CVE-2021-28156: Improper Input Validation

April 20, 2021 (updated October 25, 2022)

HashiCorp Consul Enterprise’s audit log can be bypassed by specifically crafted HTTP events. An attacker could maliciously craft valid HTTP requests with specific parameters which cause the HTTP event to be incorrectly excluded from Consul Enterprise’s audit log.

References

discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369
nvd.nist.gov/vuln/detail/CVE-2021-28156
www.hashicorp.com/blog/category/consul

Detect and mitigate CVE-2021-28156 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →