Severity: 9.8 - Critical Severity
|The Heimdall Gateway application is vulnerable to SQL Injection in its API routing mechanism, allowing unauthenticated attackers to inject SQL statements via the API's URL when downgrading the HTTP protocol.|
- getheimdall/heimdall <= 2.17.0
An attacker will be able to tamper SQL syntax, allowing them to compromise all data in the Postgres database, as well as execute SQL code.
- Get an instance of Heimdall running as per documentation, or via docker-compose
- Add any API to the orchestrator; this is part of basic Heimdall functionality
- Locate an API endpoint on the Heimdall Gateway - for example, the following samples will assume “user” is an endpoint orchestrated by Heimdall
- Note that for the exploit to work, HTTP/1.0 must be used with HTTP/1.1, with an empty host header
- Use the following command to induce sleep and demonstrate a SQL command is executed: curl -v -i --http1.0 -H ‘Host:’ “http://heimdall_instance/v2/user/’;SELECT(pg_sleep(10));–a”
- This software is obsolete and no longer maintained; it should be retired.
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
This issue was discovered and reported by Checkmarx Security Research Team Leader Dor Tumarkin (@dortumarkin).