Heimdall
Monthly
Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.
Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with alternate letter casing in the Host header, exploiting the discrepancy between HTTP spec (case-insensitive hostnames) and Heimdall's implementation. Versions prior to 0.17.14 fail to match rules configured for lowercase hostnames when requests arrive with mixed or uppercase casing, potentially routing to permissive default rules and granting unintended access. This vulnerability is most dangerous when Heimdall is deployed with insecure default rule enforcement flags enabled, though it requires attackers to know the exact hostname pattern and exploit misconfiguration.
Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.
Authorization bypass in Heimdall cloud-native Identity Aware Proxy allows remote unauthenticated attackers to circumvent access control policies via path normalization mismatches. Attackers can craft requests with encoded or relative path traversal sequences (e.g., /public/../admin, /user/%2e%2e/admin) that Heimdall evaluates against one rule while downstream services normalize to a different protected path, enabling unauthorized access to restricted resources or functionality. No public exploit identified at time of analysis, though CVSS vector indicates network-accessible, low-complexity exploitation (CVSS:4.0 AV:N/AC:L/PR:N). Fixed in version 0.17.14.
Heimdall's case-sensitive host matching bypasses access control policies when attackers submit HTTP requests with alternate letter casing in the Host header, exploiting the discrepancy between HTTP spec (case-insensitive hostnames) and Heimdall's implementation. Versions prior to 0.17.14 fail to match rules configured for lowercase hostnames when requests arrive with mixed or uppercase casing, potentially routing to permissive default rules and granting unintended access. This vulnerability is most dangerous when Heimdall is deployed with insecure default rule enforcement flags enabled, though it requires attackers to know the exact hostname pattern and exploit misconfiguration.
Authorization bypass in Heimdall cloud-native Identity Aware Proxy affects versions prior to 0.17.14 due to case-sensitive URL-encoded slash handling. Remote unauthenticated attackers can craft requests with lowercase-encoded slashes (%2f) to evade path-based access controls when 'allow_encoded_slashes' is disabled (default). This discrepancy between Heimdall's path interpretation and upstream services enables access to restricted endpoints if a permissive default rule exists. GitHub reports a public fix (PR #3207, commit 8b0de6a) with patched version 0.17.14 released. No public exploit identified at time of analysis. CVSS 7.8 with CVSS:4.0 vector indicates network-accessible, low-complexity attack requiring no privileges or user interaction, though real-world impact depends on deployment configuration.