x/vulndb: potential Go vuln in github.com/hashicorp/consul: GHSA-chgm-7r52-whjj

[GoVulnBot]

Advisory GHSA-chgm-7r52-whjj references a vulnerability in the following Go modules:

Module
github.com/hashicorp/consul

Description: A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

References:

• ADVISORY: https://github.com/advisories/GHSA-chgm-7r52-whjj
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-10005
• FIX: https://github.com/hashicorp/consul/commit/d9206fc7e284a9244af4d62f8653a63ca30bd00c
• FIX: https://github.com/hashicorp/consul/pull/21816
• WEB: https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass

Cross references:

• github.com/hashicorp/consul appears in 26 other report(s):
  • data/reports/GO-2022-0559.yaml (https://github.com/golang/vulndb/issues/559)
  • data/reports/GO-2022-0593.yaml (https://github.com/golang/vulndb/issues/593)
  • data/reports/GO-2022-0615.yaml (https://github.com/golang/vulndb/issues/615)
  • data/reports/GO-2022-0776.yaml (https://github.com/golang/vulndb/issues/776)
  • data/reports/GO-2022-0847.yaml (https://github.com/golang/vulndb/issues/847)
  • data/reports/GO-2022-0859.yaml (https://github.com/golang/vulndb/issues/859)
  • data/reports/GO-2022-0861.yaml (https://github.com/golang/vulndb/issues/861)
  • data/reports/GO-2022-0874.yaml (https://github.com/golang/vulndb/issues/874)
  • data/reports/GO-2022-0879.yaml (https://github.com/golang/vulndb/issues/879)
  • data/reports/GO-2022-0894.yaml (https://github.com/golang/vulndb/issues/894)
  • data/reports/GO-2022-0895.yaml (https://github.com/golang/vulndb/issues/895)
  • data/reports/GO-2022-0953.yaml (https://github.com/golang/vulndb/issues/953)
  • data/reports/GO-2022-1029.yaml (https://github.com/golang/vulndb/issues/1029)
  • data/reports/GO-2022-1121.yaml (https://github.com/golang/vulndb/issues/1121)
  • data/reports/GO-2023-1639.yaml (https://github.com/golang/vulndb/issues/1639)
  • data/reports/GO-2023-1827.yaml (https://github.com/golang/vulndb/issues/1827)
  • data/reports/GO-2023-1828.yaml (https://github.com/golang/vulndb/issues/1828)
  • data/reports/GO-2023-1850.yaml (https://github.com/golang/vulndb/issues/1850)
  • data/reports/GO-2023-1851.yaml (https://github.com/golang/vulndb/issues/1851)
  • data/reports/GO-2023-1852.yaml (https://github.com/golang/vulndb/issues/1852)
  • data/reports/GO-2023-1853.yaml (https://github.com/golang/vulndb/issues/1853)
  • data/reports/GO-2023-1945.yaml (https://github.com/golang/vulndb/issues/1945)
  • data/reports/GO-2024-2501.yaml (https://github.com/golang/vulndb/issues/2501)
  • data/reports/GO-2024-2505.yaml (https://github.com/golang/vulndb/issues/2505)
  • data/reports/GO-2024-2683.yaml (https://github.com/golang/vulndb/issues/2683)
  • data/reports/GO-2024-2704.yaml (https://github.com/golang/vulndb/issues/2704)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/consul
      versions:
        - introduced: 1.9.0
        - fixed: 1.20.1
      vulnerable_at: 1.20.0
summary: Hashicorp Consul Path Traversal vulnerability in github.com/hashicorp/consul
cves:
    - CVE-2024-10005
ghsas:
    - GHSA-chgm-7r52-whjj
references:
    - advisory: https://github.com/advisories/GHSA-chgm-7r52-whjj
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-10005
    - fix: https://github.com/hashicorp/consul/commit/d9206fc7e284a9244af4d62f8653a63ca30bd00c
    - fix: https://github.com/hashicorp/consul/pull/21816
    - web: https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass
source:
    id: GHSA-chgm-7r52-whjj
    created: 2024-10-31T15:01:22.162823808Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/623640 mentions this issue: data/reports: add 9 unreviewed reports