{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft.kiota.abstractions/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["kiota-java","KiotaClientFactory.java","Kiota","Microsoft Graph SDK for Java","microsoft-kiota-abstractions","Microsoft.Kiota.Abstractions","microsoft-kiota-http","kiota-typescript","kiota-http-go"],"_cs_severities":["high"],"_cs_tags":["header-injection","credential-access","cloud"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe RedirectHandler middleware in Kiota libraries, specifically microsoft-kiota-http-okHttp v1.9.0 for Java, contains a vulnerability where sensitive HTTP headers are not stripped when following 3xx redirects to a different host or scheme. This affects multiple Kiota libraries, including those for .NET, Java, Python, TypeScript, and Go. The vulnerability resides within the \u003ccode\u003egetRedirect\u003c/code\u003e method of the \u003ccode\u003eRedirectHandler\u003c/code\u003e class, where only the Authorization header is removed, while Cookie, Proxy-Authorization, and custom headers are inadvertently forwarded. This is the default middleware used when creating Kiota HTTP clients via \u003ccode\u003eKiotaClientFactory.create()\u003c/code\u003e in Java. Defenders should be aware of potential session hijacking, proxy credential theft, and API key compromise if their applications utilize vulnerable Kiota libraries. The vulnerability was introduced in versions prior to the fixes listed below.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a trusted API endpoint that is using a vulnerable Kiota library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the trusted API endpoint designed to trigger a 3xx redirect. This could be achieved through techniques like open redirect vulnerabilities, man-in-the-middle (MITM) attacks, or DNS rebinding.\u003c/li\u003e\n\u003cli\u003eThe trusted API endpoint, upon receiving the malicious request, generates a 302 redirect response, pointing to a malicious attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Kiota RedirectHandler processes the redirect response, failing to remove the Cookie, Proxy-Authorization, and custom headers from the original request.\u003c/li\u003e\n\u003cli\u003eKiota constructs a new HTTP request to the attacker-controlled server, including the victim\u0026rsquo;s sensitive headers.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser or application sends the new request, with the leaked headers, to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the sensitive headers, including session cookies, proxy credentials, and API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials for malicious purposes, such as session hijacking or unauthorized API access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including session hijacking, corporate proxy credential theft, and API key compromise. An attacker capturing session cookies can impersonate a user, gaining unauthorized access to their account and sensitive data. Leaked proxy credentials can allow the attacker to bypass security controls and access internal resources. Exposed API keys grant the attacker the ability to make unauthorized calls to APIs, potentially exfiltrating data or disrupting services. All consumers of kiota-java are affected, including Microsoft Graph SDK for Java.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to the latest versions of the affected Kiota libraries to include the patch for CVE-2026-44503.\u003c/li\u003e\n\u003cli\u003eFor Java, upgrade \u003ccode\u003ecom.microsoft.kiota:microsoft-kiota-abstractions\u003c/code\u003e to version 1.9.1 or later.\u003c/li\u003e\n\u003cli\u003eFor .NET, upgrade \u003ccode\u003eMicrosoft.Kiota.Abstractions\u003c/code\u003e to version 1.22.0 or later.\u003c/li\u003e\n\u003cli\u003eFor Python, upgrade \u003ccode\u003emicrosoft-kiota-http\u003c/code\u003e to version 1.9.9 or later.\u003c/li\u003e\n\u003cli\u003eFor TypeScript, upgrade \u003ccode\u003ekiota-typescript\u003c/code\u003e to version 1.0.0-preview.100 or later.\u003c/li\u003e\n\u003cli\u003eFor Go, upgrade \u003ccode\u003egithub.com/microsoft/kiota-http-go\u003c/code\u003e to version 1.5.5 or later.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-kiota-redirect-header-leak/","summary":"The RedirectHandler middleware in multiple Kiota libraries fails to strip sensitive HTTP headers (Cookie, Proxy-Authorization, and custom headers) when following 3xx redirects to a different host or scheme, potentially leading to session hijacking, corporate proxy credential theft, and API key theft.","title":"Kiota RedirectHandler Leaks Sensitive Headers on Cross-Origin Redirects","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kiota-redirect-header-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft.Kiota.Abstractions","version":"https://jsonfeed.org/version/1.1"}