CVE-2022-3767 in DAST Analyzer
Summary
by MITRE • 03/10/2023
Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2023
The vulnerability identified as CVE-2022-3767 represents a critical security flaw within DAST (Dynamic Application Security Testing) analyzer software that affects versions ranging from 1.11.0 through 3.0.31. This issue stems from inadequate input validation mechanisms that permit malicious actors to manipulate HTTP request headers in ways that could compromise the integrity and confidentiality of security testing operations. The flaw specifically enables unauthorized modification of request headers that should be restricted based on host validation, creating potential attack vectors that extend beyond intended security boundaries.
The technical implementation of this vulnerability resides in the software's header validation logic where custom request headers are processed without proper host verification checks. When the DAST analyzer processes security testing requests, it fails to validate whether the custom headers being added are appropriate for the target host or domain. This missing validation creates a scenario where an attacker could inject malicious headers that would be transmitted with every request regardless of the destination host, effectively bypassing intended security restrictions and potentially enabling unauthorized data exfiltration or command injection attacks.
The operational impact of this vulnerability extends beyond simple header manipulation, as it fundamentally undermines the security posture of applications under test. Security teams relying on DAST tools for automated vulnerability assessment may unknowingly expose sensitive information through improperly validated headers that could contain authentication tokens, session identifiers, or other confidential data. The vulnerability creates a persistent risk where malicious actors could leverage this flaw to establish unauthorized communication channels, potentially gaining access to internal systems or sensitive data that should remain protected during security testing operations.
From a cybersecurity framework perspective, this vulnerability maps directly to CWE-20, which addresses "Improper Input Validation" and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. The flaw represents a significant weakness in the software's defensive mechanisms and demonstrates poor adherence to secure coding practices that should prevent unauthorized header modifications. Organizations utilizing affected DAST versions face increased risk of data leakage, unauthorized access, and potential compromise of their security testing infrastructure, particularly in environments where multiple hosts or domains are being tested simultaneously.
The recommended mitigation strategy involves immediate upgrading to version 3.0.32 or later, which includes proper header validation mechanisms that verify host legitimacy before allowing custom headers to be appended to requests. Security administrators should also implement additional monitoring controls to detect anomalous header patterns that might indicate exploitation attempts. Network segmentation and access controls should be reviewed to limit the impact of potential header injection attacks, while security teams should conduct thorough audits of their DAST configurations to ensure no unauthorized header modifications have occurred during the vulnerable period. The fix addresses the root cause by implementing mandatory host validation checks that prevent header injection across all target domains, thereby restoring the intended security boundaries of the DAST testing environment.