Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13OW1yLTI4bXctajhoZ84AAy-4
Hop-by-hop abuse to malform header mutator
Impact
Downstream services relying on the presence of headers set by the header
mutator could be exploited. A client can drop the header set by the header
mutator by including that header's name in the Connection
header. Example minimal config:
- id: 'example'
upstream:
url: 'https://example.com'
match:
url: 'http://127.0.0.1:4455/'
methods:
- GET
authenticators:
- handler: anonymous
authorizer:
handler: allow
mutators:
- handler: header
config:
headers:
X-Subject: {{ .Subject }}
curl -H "Connection: close,x-subject" http://127.0.0.1:4455/
The X-Subject
header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.
Patches
c5cc7f736dc84185034be4356057d1c7a656d797
Workarounds
The downstream server should handle the case that an expected header is not set by responding with an appropriate error.
References
See background info in https://github.com/golang/go/issues/50580
Permalink: https://github.com/advisories/GHSA-w9mr-28mw-j8hgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OW1yLTI4bXctajhoZ84AAy-4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-w9mr-28mw-j8hg
References:
- https://github.com/ory/oathkeeper/security/advisories/GHSA-w9mr-28mw-j8hg
- https://github.com/advisories/GHSA-w9mr-28mw-j8hg
Blast Radius: 0.0
Affected Packages
go:github.com/ory/oathkeeper
Dependent packages: 4Dependent repositories: 2
Downloads:
Affected Version Ranges: < 0.40.3
Fixed in: 0.40.3
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.0.25, 0.0.26, 0.0.27, 0.0.28, 0.0.29, 0.11.12, 0.15.0, 0.15.1, 0.15.2, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.40.0, 0.40.1, 0.40.2
All unaffected versions: 0.40.3, 0.40.4, 0.40.5, 0.40.6, 0.40.7, 0.40.8