HTTP Request Header Injection

Affecting io.micronaut:micronaut-http-client artifact, versions [,1.2.11) || [1.3.0,1.3.2)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

io.micronaut:micronaut-http-client is a modern, JVM-based, full stack microservices framework designed for building modular, easily testable microservice applications.

Affected versions of this package are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.

PoC by Jonathan Leitschuh

@Controller("/hello")
public class HelloController {

    @Inject
    @Client("/")
    RxHttpClient client;

    @Get("/external-exploit")
    @Produces(MediaType.TEXT_PLAIN)
    public String externalExploit(@QueryValue("header-value") String headerValue) {
        return client.toBlocking().retrieve(
            HttpRequest.GET("/hello")
                .header("Test", headerValue)
        );
    }
}

Remediation

Upgrade io.micronaut:micronaut-http-client to version 1.2.11, 1.3.2 or higher.

References

CVSS Score

5.6
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Credit
Jonathan Leitschuh
CVE
CVE-2020-7611
CWE
CWE-113
Snyk ID
SNYK-JAVA-IOMICRONAUT-561342
Disclosed
26 Mar, 2020
Published
26 Mar, 2020