Lucene search

ApacheCVE-2024-32638

HistoryMay 02, 2024 - 10:15 a.m.

CVE-2024-32638

2024-05-0210:15:08

CWE-444

apache

web.nvd.nist.gov

cve-2024-32638

http request smuggling

apache apisix

forward-auth plugin

upgrade

security vulnerability

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0.

Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.

Affected configurations

Vulners

Vulnrichment

Node

apacheapisixRange≤3.9.0

VendorProductVersionCPE
apacheapisix*cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	apisix	*	cpe:2.3:a:apache:apisix::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache APISIX",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.9.0",
        "status": "affected",
        "version": "3.8.0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.openwall.com/lists/oss-security/2024/05/02/2

lists.apache.org/thread/ngvgxllw4zn4hgngkqw2o225kf9wotov