Kakadus

**Name of the Vulnerable Software and Affected Versions** Heimdall versions prior to 0.17.14 **Description** Heimdall performs host matching in a case-sensitive manner, which conflicts with the case-insensitive nature of HTTP hostnames. This discrepancy allows a request host that differs only in letter casing to fail rule matching, potentially causing the request to be classified differently than intended. If the service is configured with a permissive default rule—which may occur if secure defaults are disabled via the `--insecure` or `--insecure-skip-secure-default-rule-enforcement` flags—this can lead to a bypass of access control policies. Such a bypass may result in unauthorized access to restricted data, invocation of protected functionality, or privilege escalation. **Recommendations** Update to version 0.17.14. Normalize request hosts to lowercase in the layers preceding Heimdall. Avoid configuring permissive default rules and refrain from using the `--insecure` or `--insecure-skip-secure-default-rule-enforcement` flags. When using `regex` for host matching, define expressions in a case-insensitive manner, such as `(?i)^admin.example.com$`. Include the expected rule ID in the JWT issued by Heimdall and verify this value within the consuming project's service.

**Name of the Vulnerable Software and Affected Versions** Heimdall versions 0.7.0-alpha through 0.17.10 **Description** Heimdall, a cloud native Identity Aware Proxy and Access Control Decision service, contains an issue where incorrect encoding of the query URL string can allow bypass of rules with non-wildcard path expressions when used in envoy gRPC decision API mode. Envoy splits the requested URL into parts and sends them individually to Heimdall. The `query` field is documented as always being empty, with the URL query included in the `path` field. The implementation uses the go URL library to reconstruct the URL, which automatically encodes special characters in the path. This results in parameters like `/mypath?foo=bar` being escaped to `/mypath%3Ffoo=bar`, causing rules matching `/mypath` to no longer match and be bypassed. This issue can only lead to unintended access if Heimdall is configured with an "allow all" default rule. The vulnerable component is the URL reconstruction process within the `request context.go` file. The API endpoint involved is the gRPC decision API. The vulnerable parameter is `Path`. **Recommendations** Update to Heimdall version 0.17.11 or later.