Vulnerability Details CVE-2022-1561
Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.7%
CVSS Severity
CVSS v3 Score 4.0
References
- https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project
- https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/
- https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project
- https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/
Products affected by CVE-2022-1561
-
cpe:2.3:a:krakend:krakend:-
-
cpe:2.3:a:krakend:krakend:2.0.2
-
cpe:2.3:a:luraproject:lura:-
-
cpe:2.3:a:luraproject:lura:0.1
-
cpe:2.3:a:luraproject:lura:0.2
-
cpe:2.3:a:luraproject:lura:0.3
-
cpe:2.3:a:luraproject:lura:0.4
-
cpe:2.3:a:luraproject:lura:0.4.1
-
cpe:2.3:a:luraproject:lura:0.4.2
-
cpe:2.3:a:luraproject:lura:0.5
-
cpe:2.3:a:luraproject:lura:0.6.0
-
cpe:2.3:a:luraproject:lura:0.6.1
-
cpe:2.3:a:luraproject:lura:0.7.0
-
cpe:2.3:a:luraproject:lura:0.8.0
-
cpe:2.3:a:luraproject:lura:0.9.0
-
cpe:2.3:a:luraproject:lura:1.0.0
-
cpe:2.3:a:luraproject:lura:1.1.0
-
cpe:2.3:a:luraproject:lura:1.1.1
-
cpe:2.3:a:luraproject:lura:1.2.0
-
cpe:2.3:a:luraproject:lura:1.3.0
-
cpe:2.3:a:luraproject:lura:1.4.0
-
cpe:2.3:a:luraproject:lura:1.4.1
-
cpe:2.3:a:luraproject:lura:2.0.0
-
cpe:2.3:a:luraproject:lura:2.0.1