An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Apisix
APPApache< 2.10.42.11.0 – 2.12.1 (bez)
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- APISIX
- Added to KEVi
- August 25, 2022
- Remediation deadline (US Federal)i
- September 15, 2022(overdue)
Apply updates per vendor instructions.
Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.
Related vulnerabilities
Header injection w pluginie forward-auth Apache APISIX
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurre...
Authentication Bypass by Spoofing vulnerability in Apache APISIX. The attacker can completely bypass authenti...
Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. This can occur due to `ssl_ve...
Sensitive data exposure via logging in basic-auth leads to plaintext usernames and passwords written to error ...