GHSA-w9mr-28mw-j8hg – github.com/ory/oathkeeper

Package

Manager: go
Name: github.com/ory/oathkeeper
Vulnerable Version: >=0 <0.40.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Hop-by-hop abuse to malform header mutator ### Impact Downstream services relying on the presence of headers set by the `header` mutator could be exploited. A client can drop the header set by the `header` mutator by including that header's name in the `Connection` header. Example minimal config: ```yaml - id: 'example' upstream: url: 'https://example.com' match: url: 'http://127.0.0.1:4455/' methods: - GET authenticators: - handler: anonymous authorizer: handler: allow mutators: - handler: header config: headers: X-Subject: {{ .Subject }} ``` ``` curl -H "Connection: close,x-subject" http://127.0.0.1:4455/ ``` The `X-Subject` header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name. ### Patches c5cc7f736dc84185034be4356057d1c7a656d797 ### Workarounds The downstream server should handle the case that an expected header is not set by responding with an appropriate error. ### References See background info in https://github.com/golang/go/issues/50580

Metadata

Created: 2023-04-26T19:44:00Z
Modified: 2023-04-27T15:52:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-w9mr-28mw-j8hg/GHSA-w9mr-28mw-j8hg.json
CWE IDs: []
Alternative ID: N/A
Finding: F115
Auto approve: 1