{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/heimdall-versions-prior-to-0.17.14/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Heimdall (versions prior to 0.17.14)"],"_cs_severities":["high"],"_cs_tags":["heimdall","authorization-bypass","url-encoding"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native access management proxy, is susceptible to an authorization bypass vulnerability due to its case-sensitive handling of URL-encoded slashes. Specifically, versions prior to 0.17.14 fail to properly process lowercase URL-encoded forward slashes (\u003ccode\u003e%2f\u003c/code\u003e) when the \u003ccode\u003eallow_encoded_slashes\u003c/code\u003e option is disabled, which is the default configuration. This discrepancy arises because, while percent-encoding should be case-insensitive, Heimdall only recognizes the uppercase \u003ccode\u003e%2F\u003c/code\u003e. This inconsistency can be exploited if an attacker crafts requests with lowercase encoded slashes that Heimdall doesn\u0026rsquo;t normalize, while upstream services do. This can result in the application of an unintended default rule (if configured permissively), leading to unauthorized access to protected resources. The vulnerability is mitigated by ensuring secure default configurations or proper input validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance enforcing access control policies.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource, such as \u003ccode\u003e/admin/secret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the forward slash in the request path with a lowercase URL-encoded slash (\u003ccode\u003e%2f\u003c/code\u003e), resulting in a request like \u003ccode\u003e/admin%2fsecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request reaches the Heimdall instance. Due to the case-sensitive handling of URL-encoded slashes, Heimdall does not normalize the \u003ccode\u003e%2f\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the request to the intended access control rule (e.g., a rule matching \u003ccode\u003e/admin/**\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall executes the default rule, which, if misconfigured to be overly permissive (allowing anonymous access), grants access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the upstream service.\u003c/li\u003e\n\u003cli\u003eThe upstream service interprets \u003ccode\u003e%2f\u003c/code\u003e as a forward slash, effectively processing the request as \u003ccode\u003e/admin/secret\u003c/code\u003e, granting the attacker unauthorized access to the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass intended access control policies, potentially leading to unauthorized access to sensitive data, modification of restricted resources, or invocation of privileged functionality. Depending on the exposed functionality and the configuration of the upstream service, this could also lead to privilege escalation. The number of victims and sectors targeted depend heavily on the deployment and configuration of Heimdall instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to address the case-sensitive handling of URL-encoded slashes.\u003c/li\u003e\n\u003cli\u003eAvoid using the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags during Heimdall configuration, as these flags weaken security posture.\u003c/li\u003e\n\u003cli\u003eConfigure the default rule in Heimdall to implement a \u0026ldquo;deny by default\u0026rdquo; policy to minimize the risk of unintended access.\u003c/li\u003e\n\u003cli\u003eImplement input validation at layers in front of Heimdall (e.g., in proxies like Traefik) to reject HTTP paths containing encoded slashes, providing an additional layer of defense.\u003c/li\u003e\n\u003cli\u003eIf using JWTs, include the ID of the rule expected to be executed and verify that value in the project\u0026rsquo;s service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-heimdall-url-encoding/","summary":"Heimdall versions before 0.17.14 are vulnerable to inconsistent path interpretation due to case-sensitive handling of URL-encoded slashes; when `allow_encoded_slashes` is set to `off` (the default), the lowercase `%2f` is not recognized, potentially leading to authorization bypass if the default rule is overly permissive and the upstream service interprets `%2f` as a path separator.","title":"Heimdall Authorization Bypass via Case-Sensitive URL-Encoded Slash Handling","url":"https://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/"}],"language":"en","title":"CraftedSignal Threat Feed — Heimdall (Versions Prior to 0.17.14)","version":"https://jsonfeed.org/version/1.1"}