News KrakenD EE v2.8 released: Configurable logging, Redis-backed rate limits, Lua, YAML encoding and more

Security

1 min read

Adressing CVE-2022-1561: Crafted backend urls

by Daniel López

There is a new vulnerability in the Lura Project software (which is the KrakenD’s engine). We have immediately corrected the problem in the subsequent release after its report. Please upgrade to the latest version.

We have also submitted the CVE-2022-1561

Vulnerability description

URL params not sanitized correctly in the package github.com/luraproject/lura/v2/router/gin allow a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

Affected versions

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0

Common Vulnerability Scoring System

The CVSS v3 score is 3.6 out of 10 (LOW severity)

Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C

Common Weakness Enumeration

CWE-471 Modification of Assumed-Immutable Data

Solution

  • Lura Project users upgrade to v2.0.2 or higher
  • Krakend CE users upgrade to v2.0.2 or higher
  • KrakenD EE users upgrade to v2.0.0 or higher

Researcher

Thanks to Github user Fepame for finding this vulnerability.

Categories: Security
Scarf

Stay up to date with KrakenD releases and important updates