Adressing CVE-2022-1561: Crafted backend urls
by Daniel López
Jun 21, 2022
There is a new vulnerability in the Lura Project software (which is the KrakenD’s engine). We have immediately corrected the problem in the subsequent release after its report. Please upgrade to the latest version.
We have also submitted the CVE-2022-1561
Vulnerability description
URL params not sanitized correctly in the package github.com/luraproject/lura/v2/router/gin allow a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.
Affected versions
Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0
Common Vulnerability Scoring System
The CVSS v3 score is 3.6 out of 10 (LOW severity)
Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C
Common Weakness Enumeration
CWE-471 Modification of Assumed-Immutable Data
Solution
- Lura Project users upgrade to
v2.0.2or higher - Krakend CE users upgrade to
v2.0.2or higher - KrakenD EE users upgrade to
v2.0.0or higher
Researcher
Thanks to Github user Fepame for finding this vulnerability.
Categories: Security
