CVE-2022-1561: 
Homebrew vulnerability analysis and mitigation

The vulnerability (CVE-2022-1561) affects the Lura Project software, which serves as KrakenD's engine. The issue was discovered in KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0, where URL parameters were not properly sanitized, allowing malicious users to alter backend URLs (KrakenD Blog).

The vulnerability exists in the package github.com/luraproject/lura/v2/router/gin where URL parameters are not sanitized correctly. This could allow remote users to modify the backend URL defined for a pipe through crafted URL requests. The vulnerability has been assigned a CVSS v3 score of 3.6 out of 10, indicating LOW severity, with a vector of AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C. It is classified under CWE-471 (Modification of Assumed-Immutable Data) (KrakenD Blog).

While the vulnerability does not directly affect KrakenD itself, the consumed backend might be vulnerable to URL manipulation attacks. This could potentially lead to unauthorized access or manipulation of backend services (KrakenD Blog).

Users are advised to upgrade to the following versions: Lura Project users should upgrade to v2.0.2 or higher, KrakenD CE users should upgrade to v2.0.2 or higher, and KrakenD EE users should upgrade to v2.0.0 or higher (KrakenD Blog).