- Lura and KrakenD-CE, versions older than 2.0.2;
- KrakenD-EE versions older than 2.0.0.
INCIBE has coordinated the publication of a vulnerability in Lura Project, with the internal code INCIBE-2022-0850, which has been discovered by GitHub user Fepame.
CVE-2022-1561 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.0 has been calculated; the CVSS vector string is AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N.
- Lura Project and KrakenD-CE users must upgrade to version 2.0.2 or higher;
- KrakenD-EE users must upgrade to version 2.0.0 or higher.
Lura and KrakenD-CE versions older than 2.0.2 and KrakenD-EE versions older than 2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests.
The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.
CWE-471: modification of assumed-immutable data.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.