{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/path-normalization/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","path-normalization","cloud"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native security proxy, is susceptible to an authorization bypass vulnerability. This issue arises from a discrepancy in how Heimdall handles request paths compared to downstream components. Specifically, Heimdall performs rule matching on the raw, non-normalized request path, while downstream components might normalize dot-segments (e.g., \u003ccode\u003e/user/../admin\u003c/code\u003e) according to RFC 3986. This can lead to Heimdall authorizing a request based on the raw path, whereas the downstream service processes a different, normalized path, potentially bypassing intended access controls. The vulnerability affects Heimdall versions prior to 0.17.14. Exploitation is possible when using wildcards in rule matching without further constraints. This could allow attackers to access restricted resources or functionalities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request with a path containing dot-segments (e.g., \u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Heimdall proxy.\u003c/li\u003e\n\u003cli\u003eHeimdall performs rule matching on the raw, non-normalized path (\u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall incorrectly matches the request to a less restrictive rule, such as a rule for \u003ccode\u003e/public/**\u003c/code\u003e, due to the initial \u003ccode\u003e/public\u003c/code\u003e segment.\u003c/li\u003e\n\u003cli\u003eHeimdall authorizes the request based on the matched rule, potentially allowing anonymous access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the downstream service.\u003c/li\u003e\n\u003cli\u003eThe downstream service normalizes the request path to \u003ccode\u003e/user/resource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downstream service processes the request as \u003ccode\u003e/user/resource\u003c/code\u003e, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.\u003c/li\u003e\n\u003cli\u003eConfigure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-auth-bypass/","summary":"Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.","title":"Heimdall Authorization Bypass via Path Normalization Mismatch","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Path-Normalization","version":"https://jsonfeed.org/version/1.1"}