{"id":"CVE-2024-10005","details":"A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.","aliases":["BIT-consul-2024-10005","GHSA-chgm-7r52-whjj","GO-2024-3243"],"modified":"2026-02-11T15:32:59.820661Z","published":"2024-10-30T22:15:02.820Z","related":["CGA-h9jv-chc5-2mcw","SUSE-SU-2024:3950-1","openSUSE-SU-2024:0350-1","openSUSE-SU-2024:14458-1"],"references":[{"type":"ADVISORY","url":"https://discuss.hashicorp.com/t/hcsec-2024-22-consul-l7-intentions-vulnerable-to-url-path-bypass"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250110-0004/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hashicorp/consul","events":[{"introduced":"349cec176db1a6067952c1708d384e56de4eb9e1"},{"fixed":"e694ba9b3f1c9f440350869e739d534532946920"},{"introduced":"65d2c9b51d02e6b14db3da3cb8424ef72e046780"},{"fixed":"920cc7c649225b52e1c45951e609c3d37a49324d"},{"introduced":"a417fe51040a33039d3282e31c6c6b6f4fd1f886"},{"fixed":"d64fc79023011fdd0f600cc6460622eedde25f54"},{"introduced":"bf0166d85082f384a94c5c0e6227619e63f3c644"},{"fixed":"165f38b86348f88d891f68ea9a93aa447c022a29"}]}],"versions":["api/v1.0.0","api/v1.0.1","api/v1.1.0","api/v1.10.0","api/v1.2.0","api/v1.20.0","api/v1.21.0","api/v1.28.3","api/v1.4.0","ent-changelog-1.15.11","ent-changelog-1.15.12","ent-changelog-1.15.13","ent-changelog-1.18.3","envoyextensions/v0.1.2","envoyextensions/v0.2.0","envoyextensions/v0.7.5","internal/v0.1.0","list","proto-public/v0.1.0","proto-public/v0.1.1","proto-public/v0.6.1","proto-public/v0.6.2","sdk/v0.1.0","sdk/v0.1.1","sdk/v0.13.1","sdk/v0.16.1","sdk/v0.2.0","sdk/v0.4.0","troubleshoot/v0.1.2","v1.11.0-alpha","v1.15.11","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.6.0","v1.6.0-beta1","v1.6.0-beta2","v1.6.0-beta3","v1.6.0-rc1","v1.6.1","v1.7.0","v1.7.0-beta1","v1.7.0-beta2","v1.7.0-beta3","v1.9.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-10005.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"}]}