CVE-2022-1561

2022-08-0113:15:09

CWE-471

[email protected]

web.nvd.nist.gov

lura

krakend-ce

krakend-ee

url parameters

vulnerability

backend

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

35.3%

JSON

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

Affected configurations

Nvd

Node

krakendkrakendRange<2.0.0enterprise

krakendkrakendRange≤2.0.2community

luraprojectluraRange<2.0.2

VendorProductVersionCPE
krakendkrakend*cpe:2.3:a:krakend:krakend:*:*:*:*:enterprise:*:*:*
krakendkrakend*cpe:2.3:a:krakend:krakend:*:*:*:*:community:*:*:*
luraprojectlura*cpe:2.3:a:luraproject:lura:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
krakend	krakend	*	cpe:2.3:a:krakend:krakend:::::enterprise:::*
krakend	krakend	*	cpe:2.3:a:krakend:krakend:::::community:::*
luraproject	lura	*	cpe:2.3:a:luraproject:lura::::::::