Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1120208lqm; Thu, 2 May 2024 06:04:33 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXduAxRGIhdIy0rG+D4f81qCosNfwc0iQmeZO/wwbFKU3G8ZSh/g/vRYgPskYevfNw2pFfveLs14GvhV3JNE/Cjx/ak/vTRYfDxiC6tjA== X-Google-Smtp-Source: AGHT+IFgpaJk18pOHpurBlW+UM/d4Pq8rNvrVgHGzZGbkWAyV6XOHUeiayKmk6mFDap0fk4yWT3u X-Received: by 2002:a17:906:e24f:b0:a58:e969:143a with SMTP id gq15-20020a170906e24f00b00a58e969143amr1343801ejb.51.1714655072861; Thu, 02 May 2024 06:04:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714655072; cv=none; d=google.com; s=arc-20160816; b=1C3YPvUpch8OQzmEqWUbqdXWirNHQt/xjLt6wH8DLezMsR7QGVFhVVCKqHc9Yuqfo+ 6CAcFYkAYSGauErP4UL7dAos1s/HjgHulaeWDBObyYnth9LroBgjKOkA7TfDQGzCFWbB 5vlXIuBGGf3Tc3+ewuNoWHAMgWKVlTAcEnmeAhS6K56D53Fw5cqaHrvxv2JyebROXa02 KGgr/y9anXeZfKx76LMeppNDyC2xMUdl6HNYzXFNByba7cA8kiNBt2qH7CMIbRiFe/mk fDvIOpk1wPKlLZPeFEalpC3HBNqxp3em2FFn24vPLpsEWVm+RVUtjDdtAHrYXumuegc9 ynuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:to:message-id:date:from:mime-version:delivered-to :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe :list-help:list-post:precedence:mailing-list; bh=RmFvrI+d5wbStCiUZVfBnCQAm+/EMDtQm25F+LZNKPE=; fh=fAlk0Qa9G4vgYOGAZ6Rm8QUBExFTqNszs6WvQMci9hQ=; b=fOl1NBTJC1lUTYJ1JAPxwbOu0wkGQbmX4cTgE8Szr9LjMp9DMlnk77CDecAKyF0/J3 A+rJ2KeseP6Ex06MzXnxjNqbLdjGp9vav9plCQ7ds9W4zn+NJ6ECyKICqREyLhgUYGFB pbjmjSc2Iuyexj8cTWJVQbxHqmrSZ8n7IDk/Lp9cvuY8adRI2Ua/doO7ZkmI58T5kYK9 d8ClPo9ku4Uo/1UK+OhZmqlBqLoYlAcYHkmjQPNWyeeFLGJUstKy3l5pOEPOzvJLJTaU PlT540caganMt8YXzV6C/xz9cT7OcpKFFTz9vxocFqpjg2EYrA8e2gdZdD0OtsuHTX2w qlBA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a9-20020a170906274900b00a58bbfce92esi521189ejd.401.2024.05.02.06.04.32 for ; Thu, 02 May 2024 06:04:32 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 32289 invoked by uid 550); 2 May 2024 13:04:12 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 13630 invoked from network); 2 May 2024 09:15:57 -0000 Authentication-Results: apache.org; auth=none X-Forwarded-Encrypted: i=1; AJvYcCV6SprFyuTV+WnyL6XkFVIq4zygq6jaaZLPeCK1lT1Q+T8XFVXaSNIma67Tn09T2fz1pZwN275kv9qwyicVsT05Cg4nfjpkPFyMyPehojcl X-Gm-Message-State: AOJu0Yw90P1shQrmc0i8cjE2diavUCdPaNc4Mgzl0Gj4b5TShdzSgNeJ NXpgzmvARv8wPfgWoMdPHD0SYhZlUizF51D55lnGn/Ii8BFJCP3oUdKKh6TQ7oZRpWp/khPwtFy CwIVgKOncwS8PAB9lU4nZxv15FdA= X-Received: by 2002:a05:6122:1785:b0:4d4:126b:2c8 with SMTP id o5-20020a056122178500b004d4126b02c8mr5774615vkf.9.1714641346239; Thu, 02 May 2024 02:15:46 -0700 (PDT) MIME-Version: 1.0 From: YuanSheng Wang Date: Thu, 2 May 2024 17:15:10 +0800 X-Gmail-Original-Message-ID: Message-ID: To: announce@apache.org, "dev@apisix.apache.org" , Apache Security Team , oss-security@lists.openwall.com, Brandon Arp Content-Type: multipart/alternative; boundary="0000000000005c2ecf0617750c03" Subject: [oss-security] CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling --0000000000005c2ecf0617750c03 Content-Type: text/plain; charset="UTF-8" Severity: low Affected versions: - Apache APISIX 3.8.0, 3.9.0 Description: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin. This issue affects Apache APISIX: from 3.8.0, 3.9.0 . Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue. Credit: Discovered and reported by Brandon Arp and Bruno Green of Topsort. Regards. -- *MembPhis* My GitHub: https://github.com/membphis Apache APISIX: https://github.com/apache/apisix --0000000000005c2ecf0617750c03--