Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error logs and forwarded to log sinks when log level is INFO/DEBUG. This creates a high risk of credential compromise through log access. It has been fixed in the following commit: https://github.com/apache/apisix/pull/12629 Users are recommended to upgrade to version 3.14, which fixes this issue.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NApache Apisix
APPApache1.0 – 3.14.0 (bez)
Powiązane podatności
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A ...
Header injection w pluginie forward-auth Apache APISIX
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurre...
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authenti...
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_ve...