Home / Early Warning / Security Advisories / Crafted backend URLs in Lura Project

Crafted backend URLs in Lura Project

Publication date: 
07/29/2022
Identificador: 
INCIBE-2022-0850
Importance: 
3 - Media
Affected resources: 
  • Lura and KrakenD-CE, versions older than 2.0.2;
  • KrakenD-EE versions older than 2.0.0.
Description: 

INCIBE has coordinated the publication of a vulnerability in Lura Project, with the internal code INCIBE-2022-0850, which has been discovered by GitHub user Fepame.

CVE-2022-1561 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.0 has been calculated; the CVSS vector string is AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N.

Solution: 
  • Lura Project and KrakenD-CE users must upgrade to version 2.0.2 or higher;
  • KrakenD-EE users must upgrade to version 2.0.0 or higher.
Detail: 

Lura and KrakenD-CE versions older than 2.0.2 and KrakenD-EE versions older than 2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests.

The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

CWE-471: modification of assumed-immutable data.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración