MidnightBSD

Advisories for krakend

CVE-2022-1561

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
cve-coordination@incibe.es 4.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
krakend krakend *
luraproject lura *