CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling

[YuanSheng Wang <membphis () apache org>]

Severity: low

Affected versions:

- Apache APISIX 3.8.0, 3.9.0

Description:

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Apache APISIX when using `forward-auth` plugin.

This issue affects Apache APISIX: from 3.8.0, 3.9.0 .

Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which
fixes the issue.

Credit:

Discovered and reported by Brandon Arp and Bruno Green of Topsort.

Regards.

-- 

*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix