{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/dadrus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Heimdall (versions prior to 0.17.14)"],"_cs_severities":["high"],"_cs_tags":["heimdall","authorization-bypass","url-encoding"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native access management proxy, is susceptible to an authorization bypass vulnerability due to its case-sensitive handling of URL-encoded slashes. Specifically, versions prior to 0.17.14 fail to properly process lowercase URL-encoded forward slashes (\u003ccode\u003e%2f\u003c/code\u003e) when the \u003ccode\u003eallow_encoded_slashes\u003c/code\u003e option is disabled, which is the default configuration. This discrepancy arises because, while percent-encoding should be case-insensitive, Heimdall only recognizes the uppercase \u003ccode\u003e%2F\u003c/code\u003e. This inconsistency can be exploited if an attacker crafts requests with lowercase encoded slashes that Heimdall doesn\u0026rsquo;t normalize, while upstream services do. This can result in the application of an unintended default rule (if configured permissively), leading to unauthorized access to protected resources. The vulnerability is mitigated by ensuring secure default configurations or proper input validation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance enforcing access control policies.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting a protected resource, such as \u003ccode\u003e/admin/secret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the forward slash in the request path with a lowercase URL-encoded slash (\u003ccode\u003e%2f\u003c/code\u003e), resulting in a request like \u003ccode\u003e/admin%2fsecret\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request reaches the Heimdall instance. Due to the case-sensitive handling of URL-encoded slashes, Heimdall does not normalize the \u003ccode\u003e%2f\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the request to the intended access control rule (e.g., a rule matching \u003ccode\u003e/admin/**\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall executes the default rule, which, if misconfigured to be overly permissive (allowing anonymous access), grants access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the upstream service.\u003c/li\u003e\n\u003cli\u003eThe upstream service interprets \u003ccode\u003e%2f\u003c/code\u003e as a forward slash, effectively processing the request as \u003ccode\u003e/admin/secret\u003c/code\u003e, granting the attacker unauthorized access to the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to bypass intended access control policies, potentially leading to unauthorized access to sensitive data, modification of restricted resources, or invocation of privileged functionality. Depending on the exposed functionality and the configuration of the upstream service, this could also lead to privilege escalation. The number of victims and sectors targeted depend heavily on the deployment and configuration of Heimdall instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to address the case-sensitive handling of URL-encoded slashes.\u003c/li\u003e\n\u003cli\u003eAvoid using the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags during Heimdall configuration, as these flags weaken security posture.\u003c/li\u003e\n\u003cli\u003eConfigure the default rule in Heimdall to implement a \u0026ldquo;deny by default\u0026rdquo; policy to minimize the risk of unintended access.\u003c/li\u003e\n\u003cli\u003eImplement input validation at layers in front of Heimdall (e.g., in proxies like Traefik) to reject HTTP paths containing encoded slashes, providing an additional layer of defense.\u003c/li\u003e\n\u003cli\u003eIf using JWTs, include the ID of the rule expected to be executed and verify that value in the project\u0026rsquo;s service.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-heimdall-url-encoding/","summary":"Heimdall versions before 0.17.14 are vulnerable to inconsistent path interpretation due to case-sensitive handling of URL-encoded slashes; when `allow_encoded_slashes` is set to `off` (the default), the lowercase `%2f` is not recognized, potentially leading to authorization bypass if the default rule is overly permissive and the upstream service interprets `%2f` as a path separator.","title":"Heimdall Authorization Bypass via Case-Sensitive URL-Encoded Slash Handling","url":"https://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","policy-bypass","access-control"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an \u0026ldquo;allow all\u0026rdquo; configuration unless explicitly disabled using flags like \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e or \u003ccode\u003e--insecure\u003c/code\u003e. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance with host-based access control rules.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a specific rule where the host is used for access control (e.g., \u003ccode\u003eadmin.example.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request with a \u003ccode\u003eHost\u003c/code\u003e header that differs only in casing (e.g., \u003ccode\u003eAdmin.Example.Com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the intended rule due to the case-sensitive comparison.\u003c/li\u003e\n\u003cli\u003eIf no default rule is configured, Heimdall returns a \u0026ldquo;404 Not Found\u0026rdquo; error.\u003c/li\u003e\n\u003cli\u003eIf a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eBypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall\u0026rsquo;s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNormalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.\u003c/li\u003e\n\u003cli\u003eAvoid configuring permissive default rules. Remove or disable the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003eWhen using the \u003ccode\u003eregex\u003c/code\u003e type for host matching, define expressions in a case-insensitive manner (e.g., \u003ccode\u003e(?i)^admin\\.example\\.com$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-case-sensitivity/","summary":"Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.","title":"Heimdall Host Matching Case-Sensitivity Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","path-normalization","cloud"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a cloud-native security proxy, is susceptible to an authorization bypass vulnerability. This issue arises from a discrepancy in how Heimdall handles request paths compared to downstream components. Specifically, Heimdall performs rule matching on the raw, non-normalized request path, while downstream components might normalize dot-segments (e.g., \u003ccode\u003e/user/../admin\u003c/code\u003e) according to RFC 3986. This can lead to Heimdall authorizing a request based on the raw path, whereas the downstream service processes a different, normalized path, potentially bypassing intended access controls. The vulnerability affects Heimdall versions prior to 0.17.14. Exploitation is possible when using wildcards in rule matching without further constraints. This could allow attackers to access restricted resources or functionalities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request with a path containing dot-segments (e.g., \u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Heimdall proxy.\u003c/li\u003e\n\u003cli\u003eHeimdall performs rule matching on the raw, non-normalized path (\u003ccode\u003e/public/../user/resource\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall incorrectly matches the request to a less restrictive rule, such as a rule for \u003ccode\u003e/public/**\u003c/code\u003e, due to the initial \u003ccode\u003e/public\u003c/code\u003e segment.\u003c/li\u003e\n\u003cli\u003eHeimdall authorizes the request based on the matched rule, potentially allowing anonymous access.\u003c/li\u003e\n\u003cli\u003eThe request is forwarded to the downstream service.\u003c/li\u003e\n\u003cli\u003eThe downstream service normalizes the request path to \u003ccode\u003e/user/resource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downstream service processes the request as \u003ccode\u003e/user/resource\u003c/code\u003e, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.\u003c/li\u003e\n\u003cli\u003eConfigure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-auth-bypass/","summary":"Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.","title":"Heimdall Authorization Bypass via Path Normalization Mismatch","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Dadrus","version":"https://jsonfeed.org/version/1.1"}