This is an automated email from the ASF dual-hosted git repository. bzp2010 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix-website.git
The following commit(s) were added to refs/heads/master by this push: new 26173097885 docs: fix tag of cve-2024-32638.md (#1796) 26173097885 is described below commit 261730978851752dccdea86c9636924067a7e0a0 Author: Yilia Lin <114121331+yilial...@users.noreply.github.com> AuthorDate: Mon May 6 10:25:50 2024 +0800 docs: fix tag of cve-2024-32638.md (#1796) --- blog/en/blog/2024/05/02/cve-2024-32638.md | 19 ++++++++++--------- blog/zh/blog/2024/05/02/cve-2024-32638.md | 15 ++++++++------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/blog/en/blog/2024/05/02/cve-2024-32638.md b/blog/en/blog/2024/05/02/cve-2024-32638.md index 116afd76b72..6eca3c0c72f 100644 --- a/blog/en/blog/2024/05/02/cve-2024-32638.md +++ b/blog/en/blog/2024/05/02/cve-2024-32638.md @@ -1,31 +1,32 @@ --- -title: "Forward-Auth Plugin Request Smuggling( CVE-2024-32638 )" +title: "HTTP Request Smuggling in forward-auth Plugin (CVE-2024-32638)" keywords: - Vulnerability - forward-auth - Smuggling -description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. -tags: [Security] +description: Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. +tags: [Vulnerabilities] +image: https://static.apiseven.com/uploads/2024/05/06/Wq940JRt_CVE-2024-32638.png --- -> In APISIX 3.8.0, 3.9.0, there is a problem of HTTP Request Smuggling caused by the `forward-auth` plugin. +> For APISIX versions 3.8.0 and 3.9.0, enabling the forward-auth plugin allows APISIX to trigger illegal requests (HTTP Request Smuggling). <!--truncate--> ## Problem Description -Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. +Enabling the `forward-auth` plugin allows Apache APISIX to trigger illegal requests (HTTP Request Smuggling), resulting in a security vulnerability. ## Affected Versions -This issue affects Apache APISIX: from 3.8.0, 3.9.0 . +This issue affects Apache APISIX versions: 3.8.0 and 3.9.0. ## Solution -If you are using version 3.8.0, 3.9.0, highly recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. +For Apache APISIX users using versions 3.8.0 and 3.9.0, it is recommended to upgrade to versions 3.8.1, 3.9.1, or higher, in which the issue is fixed. ## Vulnerability details -Severity:low +Severity: Low Vulnerability public date: May 2, 2024 @@ -33,4 +34,4 @@ CVE details: https://nvd.nist.gov/vuln/detail/CVE-2024-32638 ## Contributor Profile -Discovered and reported by Brandon Arp and Bruno Green of Topsort. Thank you for your contribution to the Apache APISIX community. +This vulnerability was discovered and reported by Brandon Arp and Bruno Green from Topsort. Thank you for your contribution to the Apache APISIX community. diff --git a/blog/zh/blog/2024/05/02/cve-2024-32638.md b/blog/zh/blog/2024/05/02/cve-2024-32638.md index f9c746832d5..66bfe5becbd 100644 --- a/blog/zh/blog/2024/05/02/cve-2024-32638.md +++ b/blog/zh/blog/2024/05/02/cve-2024-32638.md @@ -1,23 +1,24 @@ --- -title: "Forward-Auth 插件能够发出非法 Smuggling 请求 ( CVE-2024-32638 )" +title: "Forward-Auth 插件能够发出非法 Smuggling 请求 (CVE-2024-32638)" keywords: - 安全漏洞 - forward-auth - Smuggling -description: 使用 “forward-auth” 插件时,Apache APISIX 能够发出 HTTP 非法请求(“HTTP Request Smuggling”)导致安全漏洞 -tags: [Security] +description: 使用 `forward-auth` 插件时,Apache APISIX 能够发出 HTTP 非法请求(HTTP Request Smuggling)导致安全漏洞 +tags: [Vulnerabilities] +image: https://static.apiseven.com/uploads/2024/05/06/Wq940JRt_CVE-2024-32638.png --- -> 对于 APISIX 3.8.0, 3.9.0 版本,启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)。 +> 对于 APISIX 3.8.0, 3.9.0 版本,启用 `forward-auth` 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)。 <!--truncate--> ## 问题描述 -启用 “forward-auth” 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。 +启用 `forward-auth` 插件时,APISIX 能够发出非法请求(HTTP Request Smuggling)导致安全漏洞。 ## 影响版本 -该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两版本。 +该风险会影响 Apache APISIX `3.8.0` 和 `3.9.0` 两个版本。 ## 解决方案 @@ -33,4 +34,4 @@ CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2024-32638 ## 贡献者简介 -该漏洞有来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。 +该漏洞由来自 Topsort 公司的 Brandon Arp 和 Bruno Green 发现并报告。感谢各位对 Apache APISIX 社区的贡献。