membphis commented on code in PR #1796: URL: https://github.com/apache/apisix-website/pull/1796#discussion_r1590479433
########## blog/en/blog/2024/05/02/cve-2024-32638.md: ########## @@ -1,36 +1,37 @@ --- -title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )" +title: "HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)" keywords: - Vulnerability - forward-auth - Smuggling -description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. -tags: [Security] +description: Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. +tags: [Vulnerabilities] +image: https://static.apiseven.com/uploads/2024/05/06/Wq940JRt_CVE-2024-32638.png --- -> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused by the `forward-auth` plugin. +> For APISIX versions 3.8.0 and 3.9.0, enabling the forward-auth plugin allows APISIX to trigger illegal requests (HTTP Request Smuggling). <!--truncate--> ## Problem Description -Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. +Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. ## Affected Versions -This issue affects Apache APISIX: from 3.8.0, 3.9.0 . +This risk affects Apache APISIX versions: 3.8.0 and 3.9.0. Review Comment: I think `issue` or `vulnerability` is acceptable here -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org