Vulnerability Description
Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Krakend | Krakend | < 2.0.0 |
| Luraproject | Lura | < 2.0.2 |
Related Weaknesses (CWE)
References
- https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-Third Party Advisory
- https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/Vendor Advisory
- https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-Third Party Advisory
- https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/Vendor Advisory
FAQ
What is CVE-2022-1561?
CVE-2022-1561 is a vulnerability with a CVSS score of 4.0 (MEDIUM). Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe...
How severe is CVE-2022-1561?
CVE-2022-1561 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1561?
Check the references section above for vendor advisories and patch information. Affected products include: Krakend Krakend, Luraproject Lura.