All the vulnerabilites related to Apache Software Foundation - Apache APISIX
cve-2022-25757
Vulnerability from cvelistv5
Published
2022-03-28 07:00
Modified
2024-08-03 04:49
Severity ?
EPSS score ?
Summary
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/03/28/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache APISIX |
Version: Apache APISIX < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:49:43.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"
},
{
"name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.1",
"status": "affected",
"version": "Apache APISIX",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks for Guangli Dong from www.huoxian.cn"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-28T11:06:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"
},
{
"name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
"workarounds": [
{
"lang": "en",
"value": "1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin\n2. add additional validation in the application code, embrace defensive programming"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-25757",
"STATE": "PUBLIC",
"TITLE": "Apache APISIX: the body_schema check in request-validation plugin can be bypassed"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache APISIX",
"version_value": "2.12.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks for Guangli Dong from www.huoxian.cn"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"
},
{
"name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin\n2. add additional validation in the application code, embrace defensive programming"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-25757",
"datePublished": "2022-03-28T07:00:16",
"dateReserved": "2022-02-22T00:00:00",
"dateUpdated": "2024-08-03T04:49:43.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43557
Vulnerability from cvelistv5
Published
2021-11-22 08:25
Modified
2024-08-04 04:03
Severity ?
EPSS score ?
Summary
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2021/11/22/1 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2021/11/22/2 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2021/11/23/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache APISIX |
Version: 1.5 < Apache APISIX 1.5* |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:07.927Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h"
},
{
"name": "[oss-security] 20211122 CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/22/1"
},
{
"name": "[oss-security] 20211122 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/22/2"
},
{
"name": "[oss-security] 20211123 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/23/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache APISIX 1.5*",
"status": "affected",
"version": "1.5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains \"^/internal/\", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer\u0027s custom plugin."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use Nginx\u0027s $request_uri variable without verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-23T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h"
},
{
"name": "[oss-security] 20211122 CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/22/1"
},
{
"name": "[oss-security] 20211122 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/22/2"
},
{
"name": "[oss-security] 20211123 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/23/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path traversal in request_uri variable",
"workarounds": [
{
"lang": "en",
"value": "1. Upgrade to APISIX 2.10.2, or apply this commit which provides a normalized $request_uri: https://github.com/apache/apisix/commit/9fc38330e82ce46e2aaabceef7d61708c91782db\n2. Carefully review custom code, find \u0026 fix the usage of $request_uri without verification."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-43557",
"STATE": "PUBLIC",
"TITLE": "Path traversal in request_uri variable"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache APISIX 1.5",
"version_value": "1.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains \"^/internal/\", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer\u0027s custom plugin."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use Nginx\u0027s $request_uri variable without verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h"
},
{
"name": "[oss-security] 20211122 CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/22/1"
},
{
"name": "[oss-security] 20211122 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/22/2"
},
{
"name": "[oss-security] 20211123 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/23/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1. Upgrade to APISIX 2.10.2, or apply this commit which provides a normalized $request_uri: https://github.com/apache/apisix/commit/9fc38330e82ce46e2aaabceef7d61708c91782db\n2. Carefully review custom code, find \u0026 fix the usage of $request_uri without verification."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-43557",
"datePublished": "2021-11-22T08:25:09",
"dateReserved": "2021-11-09T00:00:00",
"dateUpdated": "2024-08-04T04:03:07.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-13945
Vulnerability from cvelistv5
Published
2020-12-07 19:04
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache APISIX |
Version: 1.2 Version: 1.3 Version: 1.4 Version: 1.5 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.2"
},
{
"status": "affected",
"version": "1.3"
},
{
"status": "affected",
"version": "1.4"
},
{
"status": "affected",
"version": "1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Admin API default access token vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T17:06:17",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-13945",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX",
"version": {
"version_data": [
{
"version_value": "1.2"
},
{
"version_value": "1.3"
},
{
"version_value": "1.4"
},
{
"version_value": "1.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Admin API default access token vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E",
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-13945",
"datePublished": "2020-12-07T19:04:52",
"dateReserved": "2020-06-08T00:00:00",
"dateUpdated": "2024-08-04T12:32:14.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32638
Vulnerability from cvelistv5
Published
2024-05-02 09:20
Modified
2024-08-02 02:13
Severity ?
EPSS score ?
Summary
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0.
Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache APISIX |
Version: 3.8.0 < |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:Apache_APISIX:3.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "Apache_APISIX",
"vendor": "apache_software_foundation",
"versions": [
{
"status": "affected",
"version": "3.8.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-32638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-02T13:37:37.631816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:36.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.364Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ngvgxllw4zn4hgngkqw2o225kf9wotov"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/05/02/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache APISIX",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.9.0",
"status": "affected",
"version": "3.8.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Discovered and reported by Brandon Arp and Bruno Green of Topsort."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)\u003c/span\u003e\u0026nbsp;vulnerability in Apache APISIX when using `forward-auth` plugin.\u003cp\u003eThis issue affects Apache APISIX: from 3.8.0, 3.9.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)\u00a0vulnerability in Apache APISIX when using `forward-auth` plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0.\n\nUsers are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T09:20:29.127Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ngvgxllw4zn4hgngkqw2o225kf9wotov"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/05/02/2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache APISIX: Forward-Auth Request Smuggling",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-32638",
"datePublished": "2024-05-02T09:20:29.127Z",
"dateReserved": "2024-04-16T11:56:04.600Z",
"dateUpdated": "2024-08-02T02:13:40.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24112
Vulnerability from cvelistv5
Published
2022-02-11 12:20
Modified
2024-08-03 03:59
Severity ?
EPSS score ?
Summary
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/11/3 | mailing-list, x_refsource_MLIST | |
| http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html | x_refsource_MISC | |
| http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache APISIX |
Version: Apache APISIX 2.12 < 2.12.1 Version: Apache APISIX 2.10 < 2.10.4 Version: 1.3 < Apache APISIX 1* |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
},
{
"name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.12.1",
"status": "affected",
"version": "Apache APISIX 2.12",
"versionType": "custom"
},
{
"lessThan": "2.10.4",
"status": "affected",
"version": "Apache APISIX 2.10",
"versionType": "custom"
},
{
"lessThan": "Apache APISIX 1*",
"status": "affected",
"version": "1.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T18:06:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
},
{
"name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
"workarounds": [
{
"lang": "en",
"value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24112",
"STATE": "PUBLIC",
"TITLE": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache APISIX 2.12",
"version_value": "2.12.1"
},
{
"version_affected": "\u003c",
"version_name": "Apache APISIX 2.10",
"version_value": "2.10.4"
},
{
"version_affected": "\u003e=",
"version_name": "Apache APISIX 1",
"version_value": "1.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290 Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
},
{
"name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
},
{
"name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24112",
"datePublished": "2022-02-11T12:20:13",
"dateReserved": "2022-01-28T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-29266
Vulnerability from cvelistv5
Published
2022-04-20 07:15
Modified
2024-08-03 06:17
Severity ?
EPSS score ?
Summary
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/04/20/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache APISIX |
Version: Apache APISIX < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"
},
{
"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "Apache APISIX",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen."
}
],
"descriptions": [
{
"lang": "en",
"value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user\u0027s secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-25T12:10:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"
},
{
"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "apisix/jwt-auth may leak secrets in error response",
"workarounds": [
{
"lang": "en",
"value": "1. Upgrade to 2.13.1 and above\n\n2. Apply the following patch to Apache APISIX and rebuild it:\nThis will make this error message no longer contain sensitive information and return a fixed error message to the caller.\nFor the current LTS 2.13.x or master:\nhttps://github.com/apache/apisix/pull/6846\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6858\nFor the last LTS 2.10.x:\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6855\n\n3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-29266",
"STATE": "PUBLIC",
"TITLE": "apisix/jwt-auth may leak secrets in error response"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache APISIX",
"version_value": "2.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered and reported by a team from Kingdee Software (China) Ltd. consisting of Zhongyuan Tang, Hongfeng Xie, and Bing Chen."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user\u0027s secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "critical"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Generation of Error Message Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr"
},
{
"name": "[oss-security] 20220420 CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/04/20/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1. Upgrade to 2.13.1 and above\n\n2. Apply the following patch to Apache APISIX and rebuild it:\nThis will make this error message no longer contain sensitive information and return a fixed error message to the caller.\nFor the current LTS 2.13.x or master:\nhttps://github.com/apache/apisix/pull/6846\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6858\nFor the last LTS 2.10.x:\nhttps://github.com/apache/apisix/pull/6847\nhttps://github.com/apache/apisix/pull/6855\n\n3. Manually modify the version you are using according to the commit above and rebuild it to circumvent the vulnerability."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-29266",
"datePublished": "2022-04-20T07:15:13",
"dateReserved": "2022-04-15T00:00:00",
"dateUpdated": "2024-08-03T06:17:54.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}