{"id":"CVE-2021-28156","details":"HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be bypassed by specifically crafted HTTP events. Fixed in 1.9.5, and 1.8.10.","aliases":["BIT-consul-2021-28156"],"modified":"2026-04-10T04:31:40.220082Z","published":"2021-04-20T16:15:10.407Z","references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-09"},{"type":"ADVISORY","url":"https://www.hashicorp.com/blog/category/consul"},{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2021-08-consul-enterprise-audit-log-bypass-for-http-events/23369"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/consul","events":[{"introduced":"3111cb8c7df8545abaa0c96347996b5341ff625d"},{"fixed":"46a6ae729e8dda3f814820885d463e76bfdbc7b8"},{"introduced":"a417fe51040a33039d3282e31c6c6b6f4fd1f886"},{"fixed":"3c1c22679e9ca097211b3b6602da2e95a5d4401b"}],"database_specific":{"versions":[{"introduced":"1.8.0"},{"fixed":"1.8.10"},{"introduced":"1.9.0"},{"fixed":"1.9.5"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28156.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}