Skip to content

Hop-by-hop abuse to malform header mutator

Low severity GitHub Reviewed Published Apr 26, 2023 in ory/oathkeeper • Updated Apr 27, 2023

Package

gomod github.com/ory/oathkeeper (Go)

Affected versions

< 0.40.3

Patched versions

0.40.3

Description

Impact

Downstream services relying on the presence of headers set by the header mutator could be exploited. A client can drop the header set by the header mutator by including that header's name in the Connection header. Example minimal config:

- id: 'example'
  upstream:
    url: 'https://example.com'
  match:
    url: 'http://127.0.0.1:4455/'
    methods:
      - GET
  authenticators:
    - handler: anonymous
  authorizer:
    handler: allow
  mutators:
    - handler: header
      config:
        headers:
          X-Subject: {{ .Subject }}
curl -H "Connection: close,x-subject" http://127.0.0.1:4455/

The X-Subject header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.

Patches

c5cc7f736dc84185034be4356057d1c7a656d797

Workarounds

The downstream server should handle the case that an expected header is not set by responding with an appropriate error.

References

See background info in golang/go#50580

References

@zepatrik zepatrik published to ory/oathkeeper Apr 26, 2023
Published to the GitHub Advisory Database Apr 26, 2023
Reviewed Apr 26, 2023
Last updated Apr 27, 2023

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-w9mr-28mw-j8hg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.