The vulnerability allows attackers to gain unauthorized access to cloud applications.
The vulnerability, called ParseThru, was discovered by experts from the Israeli company Oxeye. ParseThru allows attackers to gain unauthorized access to Golang cloud applications. Experts attribute the vulnerability to inconsistencies that arise due to changes in the URL parsing logic in Golang, implemented in the “net/url” library.
Experts explain this by saying that up until version 1.17, Golang considered the semicolon to be a valid query separator (for example, example.com?a=1;b=2&c=3). However, this behavior has been changed in later versions to show an error if there is a semicolon in the query string.
The researchers were able to figure out that ParseThru occurs when the Golang public API on 1.17 or later starts interacting with a backend server running on an earlier version. Thus, an attacker can secretly send requests with parameters that should normally be rejected.
Simply put, the hacker must send requests containing a semicolon. These requests will be ignored by the Golang custom API but handled by the internal service.
Oxeye researchers have found several open source projects vulnerable to ParseThru: Harbor, Traefik, and Skipper. Oxeye promptly informed the developers of vulnerable applications and they have already released updates that close the gaps in their protection.