CVE-2022-1561 - OpenCVE

Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Krakend	Krakend
Luraproject	Lura

Configuration 1 [-]

OR	cpe:2.3:a:krakend:krakend:::::enterprise:::*
	cpe:2.3:a:krakend:krakend:::::community:::*
	cpe:2.3:a:luraproject:lura::::::::

No data.

References

Link	Providers
https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project
https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2022-08-01T12:47:45.682543Z

Updated: 2024-09-17T02:16:30.060Z

Reserved: 2022-05-03T00:00:00

Link: CVE-2022-1561

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-01T13:15:09.810

Modified: 2022-08-08T13:24:19.137

Link: CVE-2022-1561

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Lura Project", "vendor": "KrakenD", "versions": [{"lessThan": "v2.0.2", "status": "affected", "version": "v2.0.2", "versionType": "custom"}]}, {"product": "KrakenD-CE", "vendor": "KrakenD", "versions": [{"lessThan": "v2.0.2", "status": "affected", "version": "v2.0.2", "versionType": "custom"}]}, {"product": "KrakenD-EE", "vendor": "KrakenD", "versions": [{"lessThan": "v2.0.0", "status": "affected", "version": "v2.0.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Discovered by Github user Fepame"}], "datePublic": "2022-07-29T00:00:00", "descriptions": [{"lang": "en", "value": "Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-471", "description": "CWE-471: Modification of Assumed-Immutable Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-01T12:47:45", "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/"}], "solutions": [{"lang": "en", "value": "Lura Project and KrakenD-CE users must upgrade to v2.0.2 or higher. KrakenD-EE users must upgrade to v2.0.0 or higher."}], "source": {"defect": ["INC-2022-0049"], "discovery": "EXTERNAL"}, "title": "Crafted backend URLs in Lura Project", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-coordination@incibe.es", "DATE_PUBLIC": "2022-07-29T08:00:00.000Z", "ID": "CVE-2022-1561", "STATE": "PUBLIC", "TITLE": "Crafted backend URLs in Lura Project"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Lura Project", "version": {"version_data": [{"version_affected": "<", "version_name": "v2.0.2", "version_value": "v2.0.2"}]}}, {"product_name": "KrakenD-CE", "version": {"version_data": [{"version_affected": "<", "version_name": "v2.0.2", "version_value": "v2.0.2"}]}}, {"product_name": "KrakenD-EE", "version": {"version_data": [{"version_affected": "<", "version_name": "v2.0.0", "version_value": "v2.0.0"}]}}]}, "vendor_name": "KrakenD"}]}}, "credit": [{"lang": "eng", "value": "Discovered by Github user Fepame"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-471: Modification of Assumed-Immutable Data"}]}]}, "references": {"reference_data": [{"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project", "refsource": "CONFIRM", "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project"}, {"name": "https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/", "refsource": "CONFIRM", "url": "https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/"}]}, "solution": [{"lang": "en", "value": "Lura Project and KrakenD-CE users must upgrade to v2.0.2 or higher. KrakenD-EE users must upgrade to v2.0.0 or higher."}], "source": {"defect": ["INC-2022-0049"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:10:03.417Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/"}]}]}, "cveMetadata": {"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "cveId": "CVE-2022-1561", "datePublished": "2022-08-01T12:47:45.682543Z", "dateReserved": "2022-05-03T00:00:00", "dateUpdated": "2024-09-17T02:16:30.060Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:krakend:krakend:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "3A6E0144-4F80-47D1-800E-809580D1C525", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:krakend:krakend:*:*:*:*:community:*:*:*", "matchCriteriaId": "55A063F9-8673-4B66-900F-A3B19E06777A", "versionEndIncluding": "2.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:luraproject:lura:*:*:*:*:*:*:*:*", "matchCriteriaId": "E961C753-02DB-473E-9D24-6B9B400B8AE9", "versionEndExcluding": "2.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe when remote users send crafty URL requests. The vulnerability does not affect KrakenD itself, but the consumed backend might be vulnerable."}, {"lang": "es", "value": "Lura y KrakenD-CE versiones anteriores a v2.0.2 y KrakenD-EE versiones anteriores a v2.0.0, no sanean los par\u00e1metros de la URL, lo que permite a un usuario malicioso alterar la URL del backend definida para una tuber\u00eda cuando los usuarios remotos env\u00edan peticiones de URL astutas. La vulnerabilidad no afecta al propio KrakenD, pero el backend consumido podr\u00eda ser vulnerable"}], "id": "CVE-2022-1561", "lastModified": "2022-08-08T13:24:19.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2022-08-01T13:15:09.810", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/crafted-backend-urls-lura-project"}, {"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://www.krakend.io/blog/cve-2022-1561-crafted-backend-urls/"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-471"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}