(apisix-website) branch master updated: docs: add CVE-2024-32638 post (#1795)

Sun, 05 May 2024 18:08:08 -0700 

This is an automated email from the ASF dual-hosted git repository.

membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-website.git


The following commit(s) were added to refs/heads/master by this push:
     new f8d090ce58b docs: add CVE-2024-32638 post (#1795)
f8d090ce58b is described below

commit f8d090ce58b1557e3922444623557f3f7e71c8ac
Author: YuanSheng Wang <membp...@gmail.com>
AuthorDate: Mon May 6 09:07:58 2024 +0800

    docs: add CVE-2024-32638 post (#1795)
---
 blog/en/blog/2024/05/02/cve-2024-32638.md | 36 +++++++++++++++++++++++++++++++
 blog/zh/blog/2024/05/02/cve-2024-32638.md | 36 +++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

diff --git a/blog/en/blog/2024/05/02/cve-2024-32638.md 
b/blog/en/blog/2024/05/02/cve-2024-32638.md
new file mode 100644
index 00000000000..116afd76b72
--- /dev/null
+++ b/blog/en/blog/2024/05/02/cve-2024-32638.md
@@ -0,0 +1,36 @@
+---
+title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )"
+keywords: 
+- Vulnerability
+- forward-auth
+- Smuggling
+description: Inconsistent Interpretation of HTTP Requests ('HTTP Request 
Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.
+tags: [Security]
+---
+
+> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused 
by the `forward-auth` plugin.
+<!--truncate-->
+
+## Problem Description
+
+Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') 
vulnerability in Apache APISIX when using `forward-auth` plugin.
+
+## Affected Versions
+
+This issue affects Apache APISIX: from 3.8.0, 3.9.0 .
+
+## Solution
+
+If you are using version 3.8.0, 3.9.0, highly recommended to upgrade to 
version 3.8.1, 3.9.1 or higher, which fixes the issue.
+
+## Vulnerability details
+
+Severity:low
+
+Vulnerability public date: May 2, 2024
+
+CVE details: https://nvd.nist.gov/vuln/detail/CVE-2024-32638
+
+## Contributor Profile
+
+Discovered and reported by Brandon Arp and Bruno Green of Topsort. Thank you 
for your contribution to the Apache APISIX community.
diff --git a/blog/zh/blog/2024/05/02/cve-2024-32638.md 
b/blog/zh/blog/2024/05/02/cve-2024-32638.md
new file mode 100644
index 00000000000..f9c746832d5
--- /dev/null
+++ b/blog/zh/blog/2024/05/02/cve-2024-32638.md
@@ -0,0 +1,36 @@
+---
+title: "Forward-Auth 插件能够发出非法 Smuggling 请求 ( CVE-2024-32638 )"
+keywords: 
+- 安全漏洞
+- forward-auth
+- Smuggling
+description: 使用 “forward-auth” 插件时,Apache APISIX 能够发出 HTTP 非法请求(“HTTP Request 
Smuggling”)导致安全漏洞
+tags: [Security]
+---
+
+> 对于 APISIX 3.8.0, 3.9.0 版本,启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request 
Smuggling)。
+<!--truncate-->
+
+## 问题描述
+
+启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。
+
+## 影响版本
+
+该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两版本。
+
+## 解决方案
+
+对于正在使用 3.8.0,3.9.0 的 Apache APISIX 用户,推荐升级到 3.8.1,3.9.1 或更高版本。
+
+## 漏洞详情
+
+漏洞优先级:低
+
+漏洞公开时间:2024 年 5 月 2 日
+
+CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2024-32638
+
+## 贡献者简介
+
+该漏洞有来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。

Reply via email to