Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1120208lqm;
        Thu, 2 May 2024 06:04:33 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXduAxRGIhdIy0rG+D4f81qCosNfwc0iQmeZO/wwbFKU3G8ZSh/g/vRYgPskYevfNw2pFfveLs14GvhV3JNE/Cjx/ak/vTRYfDxiC6tjA==
X-Google-Smtp-Source: AGHT+IFgpaJk18pOHpurBlW+UM/d4Pq8rNvrVgHGzZGbkWAyV6XOHUeiayKmk6mFDap0fk4yWT3u
X-Received: by 2002:a17:906:e24f:b0:a58:e969:143a with SMTP id gq15-20020a170906e24f00b00a58e969143amr1343801ejb.51.1714655072861;
        Thu, 02 May 2024 06:04:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1714655072; cv=none;
        d=google.com; s=arc-20160816;
        b=1C3YPvUpch8OQzmEqWUbqdXWirNHQt/xjLt6wH8DLezMsR7QGVFhVVCKqHc9Yuqfo+
         6CAcFYkAYSGauErP4UL7dAos1s/HjgHulaeWDBObyYnth9LroBgjKOkA7TfDQGzCFWbB
         5vlXIuBGGf3Tc3+ewuNoWHAMgWKVlTAcEnmeAhS6K56D53Fw5cqaHrvxv2JyebROXa02
         KGgr/y9anXeZfKx76LMeppNDyC2xMUdl6HNYzXFNByba7cA8kiNBt2qH7CMIbRiFe/mk
         fDvIOpk1wPKlLZPeFEalpC3HBNqxp3em2FFn24vPLpsEWVm+RVUtjDdtAHrYXumuegc9
         ynuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:to:message-id:date:from:mime-version:delivered-to
         :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe
         :list-help:list-post:precedence:mailing-list;
        bh=RmFvrI+d5wbStCiUZVfBnCQAm+/EMDtQm25F+LZNKPE=;
        fh=fAlk0Qa9G4vgYOGAZ6Rm8QUBExFTqNszs6WvQMci9hQ=;
        b=fOl1NBTJC1lUTYJ1JAPxwbOu0wkGQbmX4cTgE8Szr9LjMp9DMlnk77CDecAKyF0/J3
         A+rJ2KeseP6Ex06MzXnxjNqbLdjGp9vav9plCQ7ds9W4zn+NJ6ECyKICqREyLhgUYGFB
         pbjmjSc2Iuyexj8cTWJVQbxHqmrSZ8n7IDk/Lp9cvuY8adRI2Ua/doO7ZkmI58T5kYK9
         d8ClPo9ku4Uo/1UK+OhZmqlBqLoYlAcYHkmjQPNWyeeFLGJUstKy3l5pOEPOzvJLJTaU
         PlT540caganMt8YXzV6C/xz9cT7OcpKFFTz9vxocFqpjg2EYrA8e2gdZdD0OtsuHTX2w
         qlBA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id a9-20020a170906274900b00a58bbfce92esi521189ejd.401.2024.05.02.06.04.32
        for <linux.lists.archive@gmail.com>;
        Thu, 02 May 2024 06:04:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30109-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 32289 invoked by uid 550); 2 May 2024 13:04:12 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 13630 invoked from network); 2 May 2024 09:15:57 -0000
Authentication-Results: apache.org; auth=none
X-Forwarded-Encrypted: i=1; AJvYcCV6SprFyuTV+WnyL6XkFVIq4zygq6jaaZLPeCK1lT1Q+T8XFVXaSNIma67Tn09T2fz1pZwN275kv9qwyicVsT05Cg4nfjpkPFyMyPehojcl
X-Gm-Message-State: AOJu0Yw90P1shQrmc0i8cjE2diavUCdPaNc4Mgzl0Gj4b5TShdzSgNeJ
	NXpgzmvARv8wPfgWoMdPHD0SYhZlUizF51D55lnGn/Ii8BFJCP3oUdKKh6TQ7oZRpWp/khPwtFy
	CwIVgKOncwS8PAB9lU4nZxv15FdA=
X-Received: by 2002:a05:6122:1785:b0:4d4:126b:2c8 with SMTP id
 o5-20020a056122178500b004d4126b02c8mr5774615vkf.9.1714641346239; Thu, 02 May
 2024 02:15:46 -0700 (PDT)
MIME-Version: 1.0
From: YuanSheng Wang <membphis@apache.org>
Date: Thu, 2 May 2024 17:15:10 +0800
X-Gmail-Original-Message-ID: <CAKzgDd3JhyCMip9hKAAHaobS=n0u+ifB=qK74RT=3P25t2xuEg@mail.gmail.com>
Message-ID: <CAKzgDd3JhyCMip9hKAAHaobS=n0u+ifB=qK74RT=3P25t2xuEg@mail.gmail.com>
To: announce@apache.org, "dev@apisix.apache.org" <dev@apisix.apache.org>, 
	Apache Security Team <security@apache.org>, oss-security@lists.openwall.com, 
	Brandon Arp <brandonarp@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000005c2ecf0617750c03"
Subject: [oss-security] CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling

--0000000000005c2ecf0617750c03
Content-Type: text/plain; charset="UTF-8"

Severity: low

Affected versions:

- Apache APISIX 3.8.0, 3.9.0

Description:

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Apache APISIX when using `forward-auth` plugin.

This issue affects Apache APISIX: from 3.8.0, 3.9.0 .

Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which
fixes the issue.

Credit:

Discovered and reported by Brandon Arp and Bruno Green of Topsort.

Regards.

-- 

*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix

--0000000000005c2ecf0617750c03--