CVE-2022-1561 MEDIUM

CVE-2022-1561: Crafted backend URLs in Lura Project

Vendor Krakend
Product Lura Project
Weakness CWE-471
Published August 1, 2022
Last update September 17, 2024

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

Key dates

02Disclosure timeline

August 1, 2022 CVE published
September 17, 2024 Record updated