INCIBECVELIST:CVE-2022-1561CVE-2022-1561 Crafted backend URLs in Lura Project
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
35.3%
Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.
CNA Affected
[
{
"product": "Lura Project",
"vendor": "KrakenD",
"versions": [
{
"lessThan": "v2.0.2",
"status": "affected",
"version": "v2.0.2",
"versionType": "custom"
}
]
},
{
"product": "KrakenD-CE",
"vendor": "KrakenD",
"versions": [
{
"lessThan": "v2.0.2",
"status": "affected",
"version": "v2.0.2",
"versionType": "custom"
}
]
},
{
"product": "KrakenD-EE",
"vendor": "KrakenD",
"versions": [
{
"lessThan": "v2.0.0",
"status": "affected",
"version": "v2.0.0",
"versionType": "custom"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
35.3%