News Introducing KrakenD Security Advisories Tracker

Return to blog's homepage

Blog categories

Company AnnouncementsSecurity

2 min read

Introducing KrakenD Security Advisories Tracker

by Jorge Tarrero

Today we’re publishing the Security Advisories page: a full historical record of every CVE that has touched KrakenD’s dependency tree, with our assessment of how each one affects every release, covering severity, exploitability, affected versions, and whether it is a real threat or a false positive.

Two Types of Entries

Every entry on the page falls into one of two categories.

False positives are CVEs that exist in a Go package that KrakenD depends on, but where KrakenD never reaches the vulnerable code path at runtime. A good example: Go’s html/template package has had several XSS vulnerabilities over the years. KrakenD is an API gateway and never renders HTML. The vulnerability is real in the Go standard library, but it simply cannot be triggered through KrakenD. Each false positive entry explains the specific reason so you can make an informed decision when discussing findings with your security team.

Real advisories are genuine vulnerabilities that have a potential to affect KrakenD, even when the KrakenD team didn’t manage to exploit them. If we consider an advisory could lead to an attack vector, proven or not, it’s considered as a real threat. These entries include the severity, CVSS score, exploitability level, the affected version range, and the version where the issue was fixed. We fix vulnerabilities before we disclose them. A real advisory only appears once a patched version is available, so if we are still working on a fix it will not show up on the page yet.

You can search by CVE ID or filter by your version and edition to see exactly which advisories apply to your installation.

KrakenD as a CVE Numbering Authority

KrakenD is an official CVE Numbering Authority (CNA). This means we have the authority to assign CVE IDs to vulnerabilities discovered in KrakenD software directly, without going through a third party. Advisories published on this page for KrakenD-originated vulnerabilities carry CVE IDs that we assigned ourselves.

Coverage

The page covers KrakenD Community and Enterprise releases from 2.12 onwards. We will keep it up to date with every release. If you see a CVE that isn’t on the page yet, contact us and we will review it.

Visit the Security Advisories page.

Categories: Company AnnouncementsSecurity

Stay up to date with KrakenD releases and important updates