CVE-2022-1561: Crafted backend urls
by Daniel López
Jun 21, 2022
There is a new vulnerability in the Lura Project software (which is the KrakenD’s engine). We have immediately corrected the problem in the subsequent release after its report. Please upgrade to the latest version.
We have also submitted the CVE-2022-1561
URL params not sanitized correctly in the package
github.com/luraproject/lura/v2/router/gin allow a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.
Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0
Common Vulnerability Scoring System
The CVSS v3 score is 3.6 out of 10 (
Common Weakness Enumeration
CWE-471 Modification of Assumed-Immutable Data
- Lura Project users upgrade to
- Krakend CE users upgrade to
- KrakenD EE users upgrade to
Thanks to Github user Fepame for finding this vulnerability.