N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-w9mr-28mw-j8hg

EPSS Score

CWE

Published

4/26/2023

Updated

4/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-w9mr-28mw-j8hg

GHSA-w9mr-28mw-j8hg:
Hop-by-hop abuse to malform header mutator

Impact

Downstream services relying on the presence of headers set by the header mutator could be exploited. A client can drop the header set by the header mutator by including that header's name in the Connection header. Example minimal config:

- id: 'example'
  upstream:
    url: 'https://example.com'
  match:
    url: 'http://127.0.0.1:4455/'
    methods:
      - GET
  authenticators:
    - handler: anonymous
  authorizer:
    handler: allow
  mutators:
    - handler: header
      config:
        headers:
          X-Subject: {{ .Subject }}

curl -H "Connection: close,x-subject" http://127.0.0.1:4455/

The X-Subject header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name.

Patches

c5cc7f736dc84185034be4356057d1c7a656d797

Workarounds

The downstream server should handle the case that an expected header is not set by responding with an appropriate error.

References

See background info in https://github.com/golang/go/issues/50580

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-w9mr-28mw-j8hg

EPSS Score

CWE

Published

4/26/2023

Updated

4/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/ory/oathkeeper	go	< 0.40.3	0.40.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how the header mutator adds headers without considering Connection header semantics in HTTP/1.1. The Go net/http package automatically removes headers listed in the Connection header during request forwarding. The HeaderMutator's Mutate function (responsible for injecting headers) doesn't validate() or modify the Connection header to prevent this stripping, making it the vulnerable component. This matches the attack pattern described where client-controlled Connection headers can remove security-critical headers added by the mutator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ownstr**m s*rvi**s r*lyin* on t** pr*s*n** o* *****rs s*t *y t** `*****r` mut*tor *oul* ** *xploit**. * *li*nt **n *rop t** *****r s*t *y t** `*****r` mut*tor *y in*lu*in* t**t *****r's n*m* in t** `*onn**tion` *****r. *x*mpl* minim*l *o

Reasoning

T** vuln*r**ility st*ms *rom *ow t** *****r mut*tor ***s *****rs wit*out *onsi**rin* *onn**tion *****r s*m*nti*s in `*TTP/*.*`. T** *o `n*t/*ttp` p**k*** *utom*ti**lly r*mov*s *****rs list** in t** *onn**tion *****r *urin* r*qu*st *orw*r*in*. T** `**

N/A

Basic Information

Concerned about an active attack path?

GHSA-w9mr-28mw-j8hg: Hop-by-hop abuse to malform header mutator

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-w9mr-28mw-j8hg:
Hop-by-hop abuse to malform header mutator

Vulnerability Intelligence
Miggo AI