{"id":"CVE-2024-10006","details":"A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.","aliases":["BIT-consul-2024-10006","GHSA-5c4w-8hhh-3c3h","GO-2024-3241"],"modified":"2026-04-10T05:08:01.469049Z","published":"2024-10-30T22:15:03.063Z","related":["CGA-pcg4-47ff-wfqv","SUSE-SU-2024:3950-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14458-1"],"references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2024-23-consul-l7-intentions-vulnerable-to-headers-bypass"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250110-0005/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/consul","events":[{"introduced":"65d2c9b51d02e6b14db3da3cb8424ef72e046780"},{"fixed":"920cc7c649225b52e1c45951e609c3d37a49324d"},{"introduced":"a417fe51040a33039d3282e31c6c6b6f4fd1f886"},{"fixed":"d64fc79023011fdd0f600cc6460622eedde25f54"},{"introduced":"349cec176db1a6067952c1708d384e56de4eb9e1"},{"fixed":"e694ba9b3f1c9f440350869e739d534532946920"},{"introduced":"bf0166d85082f384a94c5c0e6227619e63f3c644"},{"fixed":"165f38b86348f88d891f68ea9a93aa447c022a29"},{"introduced":"0"},{"last_affected":"cddc6181264ad5909e2795ec5cd68a89fa3b2c99"}],"database_specific":{"versions":[{"introduced":"1.4.1"},{"fixed":"1.20.1"},{"introduced":"1.9.0"},{"fixed":"1.15.15"},{"introduced":"1.18.0"},{"fixed":"1.18.5"},{"introduced":"1.19.0"},{"fixed":"1.19.3"},{"introduced":"0"},{"last_affected":"1.20.0"}]}}],"versions":["api/v1.0.0","api/v1.0.1","api/v1.1.0","api/v1.10.0","api/v1.2.0","api/v1.20.0","api/v1.21.0","api/v1.28.3","api/v1.29.5-rc1","api/v1.4.0","ent-changelog-1.15.11","ent-changelog-1.15.12","ent-changelog-1.15.13","ent-changelog-1.18.3","envoyextensions/v0.1.2","envoyextensions/v0.2.0","envoyextensions/v0.7.4-rc1","envoyextensions/v0.7.5","internal/v0.1.0","list","proto-public/v0.1.0","proto-public/v0.1.1","proto-public/v0.5.4-rc1","proto-public/v0.6.1","proto-public/v0.6.2","proto-public/v0.6.3","sdk/v0.1.0","sdk/v0.1.1","sdk/v0.13.1","sdk/v0.16.1","sdk/v0.2.0","sdk/v0.4.0","troubleshoot/v0.1.2","troubleshoot/v0.7.2-rc1","v1.15.11","v1.20.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.6.0","v1.6.1","v1.7.0","v1.7.0-beta1","v1.7.0-beta2","v1.7.0-beta3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10006.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"}]}