{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/heimdall/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","policy-bypass","access-control"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an \u0026ldquo;allow all\u0026rdquo; configuration unless explicitly disabled using flags like \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e or \u003ccode\u003e--insecure\u003c/code\u003e. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance with host-based access control rules.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a specific rule where the host is used for access control (e.g., \u003ccode\u003eadmin.example.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request with a \u003ccode\u003eHost\u003c/code\u003e header that differs only in casing (e.g., \u003ccode\u003eAdmin.Example.Com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the intended rule due to the case-sensitive comparison.\u003c/li\u003e\n\u003cli\u003eIf no default rule is configured, Heimdall returns a \u0026ldquo;404 Not Found\u0026rdquo; error.\u003c/li\u003e\n\u003cli\u003eIf a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eBypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall\u0026rsquo;s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNormalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.\u003c/li\u003e\n\u003cli\u003eAvoid configuring permissive default rules. Remove or disable the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003eWhen using the \u003ccode\u003eregex\u003c/code\u003e type for host matching, define expressions in a case-insensitive manner (e.g., \u003ccode\u003e(?i)^admin\\.example\\.com$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-case-sensitivity/","summary":"Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.","title":"Heimdall Host Matching Case-Sensitivity Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","path-normalization","cloud"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native security proxy, is susceptible to an authorization bypass vulnerability. This issue arises from a discrepancy in how Heimdall handles request paths compared to downstream components. Specifically, Heimdall performs rule matching on the raw, non-normalized request path, while downstream components might normalize dot-segments (e.g., \u003ccode\u003e/user/../admin\u003c/code\u003e) according to RFC 3986. This can lead to Heimdall authorizing a request based on the raw path, whereas the downstream service processes a different, normalized path, potentially bypassing intended access controls. The vulnerability affects Heimdall versions prior to 0.17.14. Exploitation is possible when using wildcards in rule matching without further constraints. This could allow attackers to access restricted resources or functionalities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request with a path containing dot-segments (e.g., \u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Heimdall proxy.\u003c/li\u003e\n\u003cli\u003eHeimdall performs rule matching on the raw, non-normalized path (\u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall incorrectly matches the request to a less restrictive rule, such as a rule for \u003ccode\u003e/public/**\u003c/code\u003e, due to the initial \u003ccode\u003e/public\u003c/code\u003e segment.\u003c/li\u003e\n\u003cli\u003eHeimdall authorizes the request based on the matched rule, potentially allowing anonymous access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the downstream service.\u003c/li\u003e\n\u003cli\u003eThe downstream service normalizes the request path to \u003ccode\u003e/user/resource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downstream service processes the request as \u003ccode\u003e/user/resource\u003c/code\u003e, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.\u003c/li\u003e\n\u003cli\u003eConfigure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-auth-bypass/","summary":"Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.","title":"Heimdall Authorization Bypass via Path Normalization Mismatch","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Heimdall","version":"https://jsonfeed.org/version/1.1"}