This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push: new f8d090ce58b docs: add CVE-2024-32638 post (#1795) f8d090ce58b is described below commit f8d090ce58b1557e3922444623557f3f7e71c8ac Author: YuanSheng Wang <membp...@gmail.com> AuthorDate: Mon May 6 09:07:58 2024 +0800 docs: add CVE-2024-32638 post (#1795) --- blog/en/blog/2024/05/02/cve-2024-32638.md | 36 +++++++++++++++++++++++++++++++ blog/zh/blog/2024/05/02/cve-2024-32638.md | 36 +++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/blog/en/blog/2024/05/02/cve-2024-32638.md b/blog/en/blog/2024/05/02/cve-2024-32638.md new file mode 100644 index 00000000000..116afd76b72 --- /dev/null +++ b/blog/en/blog/2024/05/02/cve-2024-32638.md @@ -0,0 +1,36 @@ +--- +title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )" +keywords: +- Vulnerability +- forward-auth +- Smuggling +description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. +tags: [Security] +--- + +> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused by the `forward-auth` plugin. +<!--truncate--> + +## Problem Description + +Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. + +## Affected Versions + +This issue affects Apache APISIX: from 3.8.0, 3.9.0 . + +## Solution + +If you are using version 3.8.0, 3.9.0, highly recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. + +## Vulnerability details + +Severity:low + +Vulnerability public date: May 2, 2024 + +CVE details: https://nvd.nist.gov/vuln/detail/CVE-2024-32638 + +## Contributor Profile + +Discovered and reported by Brandon Arp and Bruno Green of Topsort. Thank you for your contribution to the Apache APISIX community. diff --git a/blog/zh/blog/2024/05/02/cve-2024-32638.md b/blog/zh/blog/2024/05/02/cve-2024-32638.md new file mode 100644 index 00000000000..f9c746832d5 --- /dev/null +++ b/blog/zh/blog/2024/05/02/cve-2024-32638.md @@ -0,0 +1,36 @@ +--- +title: "Forward-Auth 插件能够发出非法 Smuggling 请求 ( CVE-2024-32638 )" +keywords: +- 安全漏洞 +- forward-auth +- Smuggling +description: 使用 “forward-auth” 插件时,Apache APISIX 能够发出 HTTP 非法请求(“HTTP Request Smuggling”)导致安全漏洞 +tags: [Security] +--- + +> 对于 APISIX 3.8.0, 3.9.0 版本,启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)。 +<!--truncate--> + +## 问题描述 + +启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。 + +## 影响版本 + +该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两版本。 + +## 解决方案 + +对于正在使用 3.8.0,3.9.0 的 Apache APISIX 用户,推荐升级到 3.8.1,3.9.1 或更高版本。 + +## 漏洞详情 + +漏洞优先级:低 + +漏洞公开时间:2024 年 5 月 2 日 + +CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2024-32638 + +## 贡献者简介 + +该漏洞有来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。