CVE Vulnerability

CVE-2022-1561

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/ Vendor Advisory
https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:luraproject:lura:*:*:*:*:*:*:*:*
cpe:2.3:a:krakend:krakend:*:*:*:*:community:*:*:*
cpe:2.3:a:krakend:krakend:*:*:*:*:enterprise:*:*:*
Information

Published : 2022-08-01 01:15

Updated : 2022-08-08 01:24

NVD link : CVE-2022-1561

Mitre link : CVE-2022-1561

Products Affected
No products.
CWE
NVD-CWE-Other