Crafted backend URLs in Lura Project

Posted date 29/07/2022
Importance
3 - Medium
Affected Resources
  • Lura and KrakenD-CE, versions older than 2.0.2;
  • KrakenD-EE versions older than 2.0.0.
Description

INCIBE has coordinated the publication of a vulnerability in Lura Project, with the internal code INCIBE-2022-0850, which has been discovered by GitHub user Fepame.

CVE-2022-1561 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.0 has been calculated; the CVSS vector string is AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N.

Solution
  • Lura Project and KrakenD-CE users must upgrade to version 2.0.2 or higher;
  • KrakenD-EE users must upgrade to version 2.0.0 or higher.
Detail

Lura and KrakenD-CE versions older than 2.0.2 and KrakenD-EE versions older than 2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests.

The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

CWE-471: modification of assumed-immutable data.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list
Kraken CVE-2022-1561: Crafted backend urls
Etiquetas