GHSA-w9mr-28mw-j8hg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w9mr-28mw-j8hg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-w9mr-28mw-j8hg/GHSA-w9mr-28mw-j8hg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-w9mr-28mw-j8hg
- Aliases
- Published
- 2023-04-26T19:44:00Z
- Modified
- 2024-08-20T20:59:19.418060Z
- Summary
- Hop-by-hop abuse to malform header mutator
- Details
-
Impact
Downstream services relying on the presence of headers set by the
headermutator could be exploited. A client can drop the header set by theheadermutator by including that header's name in theConnectionheader. Example minimal config:- id: 'example' upstream: url: 'https://example.com' match: url: 'http://127.0.0.1:4455/' methods: - GET authenticators: - handler: anonymous authorizer: handler: allow mutators: - handler: header config: headers: X-Subject: {{ .Subject }}curl -H "Connection: close,x-subject" http://127.0.0.1:4455/The
X-Subjectheader will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.Patches
c5cc7f736dc84185034be4356057d1c7a656d797
Workarounds
The downstream server should handle the case that an expected header is not set by responding with an appropriate error.
References
See background info in https://github.com/golang/go/issues/50580
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-04-26T19:44:00Z" }- References
Affected packages
Go / github.com/ory/oathkeeper
Package
- Name
- github.com/ory/oathkeeper
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/ory/oathkeeper