News KrakenD 2.1.1 Enterprise released - Now with ARM64 support

CVE-2022-1561: Crafted backend urls

by Daniel López

Jun 21, 2022

1 min read

There is a new vulnerability in the Lura Project software (which is the KrakenD’s engine). We have immediately corrected the problem in the subsequent release after its report. Please upgrade to the latest version.

We have also submitted the CVE-2022-1561

Vulnerability description

URL params not sanitized correctly in the package github.com/luraproject/lura/v2/router/gin allow a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

Affected versions

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0

Common Vulnerability Scoring System

The CVSS v3 score is 3.6 out of 10 (LOW severity)

Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C

Common Weakness Enumeration

CWE-471 Modification of Assumed-Immutable Data

Solution

  • Lura Project users upgrade to v2.0.2 or higher
  • Krakend CE users upgrade to v2.0.2 or higher
  • KrakenD EE users upgrade to v2.0.0 or higher

Researcher

Thanks to Github user Fepame for finding this vulnerability.

Stay up to date with KrakenD releases and important updates

We use cookies to understand how you use our site and to improve your overall experience. By continuing to use our site, you accept our Privacy Policy. More information