LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application.
An attacker remotely and without authentication manipulates HTTP headers `X-Forwarded-Host` or `Referer`, which the application accepts without proper verification as a trusted source. Injecting attacker-controlled header values allows the application to load external resources from attacker domains (Host Header Injection) or redirect the user to any URL (Open Redirect). This results from insufficient validation of untrusted input data, classifying the vulnerability as CWE-20 (improper input validation) and CWE-74/CWE-601 (injection and open redirect).
Attackers can conduct phishing attacks by redirecting users to malicious sites, perform session hijacking, manipulate the user interface (UI redress), and force loading of external resources from attacker-controlled domains, compromising application integrity and trustworthiness.
Apply patches available from the vendor according to the references. As a remedial measure, consider implementing rules at the reverse proxy or firewall level to reject unexpected values in `X-Forwarded-Host` and `Referer` headers, and restrict access to Heimdall instances exclusively to trusted networks.
LinuxServer.io Heimdall version 2.6.3-ls307
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinuxserver Docker Heimdall
APPLinuxserver2.6.3-ls307