cvelistv5 - CVE-2022-24112

CVE-2022-24112 (GCVE-0-2022-24112)

Vulnerability from cvelistv5 – Published: 2022-02-11 12:20 – Updated: 2025-10-21 23:15

CISA

Summary

Severity ?

No CVSS data available.

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

apache

References

URL

	Vendor	Product	Version
	Apache Software Foundation	Apache APISIX	Affected: Apache APISIX 2.12 , < 2.12.1 (custom) Affected: Apache APISIX 2.10 , < 2.10.4 (custom) Affected: 1.3 , < Apache APISIX 1* (custom)

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2022-08-25

Due date: 2022-09-15

Required action: Apply updates per vendor instructions.

Used in ransomware: Unknown

Notes: https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94; https://nvd.nist.gov/vuln/detail/CVE-2022-24112

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:59:23.660Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
          },
          {
            "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-24112",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T21:21:39.557669Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-08-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:46.674Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-08-25T00:00:00+00:00",
            "value": "CVE-2022-24112 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache APISIX",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.12.1",
              "status": "affected",
              "version": "Apache APISIX 2.12",
              "versionType": "custom"
            },
            {
              "lessThan": "2.10.4",
              "status": "affected",
              "version": "Apache APISIX 2.10",
              "versionType": "custom"
            },
            {
              "lessThan": "Apache APISIX 1*",
              "status": "affected",
              "version": "1.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-16T18:06:16.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
        },
        {
          "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
      "workarounds": [
        {
          "lang": "en",
          "value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24112",
          "STATE": "PUBLIC",
          "TITLE": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache APISIX",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache APISIX 2.12",
                            "version_value": "2.12.1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache APISIX 2.10",
                            "version_value": "2.10.4"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "Apache APISIX 1",
                            "version_value": "1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-290 Authentication Bypass by Spoofing"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
            },
            {
              "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
            },
            {
              "name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-24112",
    "datePublished": "2022-02-11T12:20:13.000Z",
    "dateReserved": "2022-01-28T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:46.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-24112",
      "cwes": "[\"CWE-290\"]",
      "dateAdded": "2022-08-25",
      "dueDate": "2022-09-15",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94;  https://nvd.nist.gov/vuln/detail/CVE-2022-24112",
      "product": "APISIX",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.",
      "vendorProject": "Apache",
      "vulnerabilityName": "Apache APISIX Authentication Bypass Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-09-15",
      "cisaExploitAdd": "2022-08-25",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Apache APISIX Authentication Bypass Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.10.4\", \"matchCriteriaId\": \"DA41EFA2-1D6E-4D57-89BC-F8A96D684F23\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.11.0\", \"versionEndExcluding\": \"2.12.1\", \"matchCriteriaId\": \"8F0B2998-1638-42BC-8585-9AF1E137F4CF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\"}, {\"lang\": \"es\", \"value\": \"Un atacante puede abusar del plugin batch-requests para enviar peticiones para omitir la restricci\\u00f3n de IP de la API de administraci\\u00f3n. Una configuraci\\u00f3n por defecto de Apache APISIX (con la clave API por defecto) es vulnerable a una ejecuci\\u00f3n de c\\u00f3digo remota. Cuando ha  sido cambiada la clave de administraci\\u00f3n o ha sido cambiado el puerto de la API de administraci\\u00f3n a un puerto diferente al del panel de datos, el impacto es menor. Pero todav\\u00eda se presenta el riesgo de omitir la restricci\\u00f3n de IP del panel de datos de Apache APISIX. Se presenta una comprobaci\\u00f3n en el plugin de peticiones por lotes que anula la IP del cliente con su IP remota real. Pero debido a un error en el c\\u00f3digo, esta comprobaci\\u00f3n puede ser omitida\"}]",
      "id": "CVE-2022-24112",
      "lastModified": "2024-11-21T06:49:49.803",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-02-11T13:15:08.073",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"source\": \"security@apache.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"source\": \"security@apache.org\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24112\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-02-11T13:15:08.073\",\"lastModified\":\"2025-10-23T14:48:48.137\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\"},{\"lang\":\"es\",\"value\":\"Un atacante puede abusar del plugin batch-requests para enviar peticiones para omitir la restricci\u00f3n de IP de la API de administraci\u00f3n. Una configuraci\u00f3n por defecto de Apache APISIX (con la clave API por defecto) es vulnerable a una ejecuci\u00f3n de c\u00f3digo remota. Cuando ha  sido cambiada la clave de administraci\u00f3n o ha sido cambiado el puerto de la API de administraci\u00f3n a un puerto diferente al del panel de datos, el impacto es menor. Pero todav\u00eda se presenta el riesgo de omitir la restricci\u00f3n de IP del panel de datos de Apache APISIX. Se presenta una comprobaci\u00f3n en el plugin de peticiones por lotes que anula la IP del cliente con su IP remota real. Pero debido a un error en el c\u00f3digo, esta comprobaci\u00f3n puede ser omitida\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-08-25\",\"cisaActionDue\":\"2022-09-15\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Apache APISIX Authentication Bypass Vulnerability\",\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.10.4\",\"matchCriteriaId\":\"DA41EFA2-1D6E-4D57-89BC-F8A96D684F23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.11.0\",\"versionEndExcluding\":\"2.12.1\",\"matchCriteriaId\":\"8F0B2998-1638-42BC-8585-9AF1E137F4CF\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\",\"source\":\"security@apache.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\",\"source\":\"security@apache.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/02/11/3\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/02/11/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"name\": \"[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:59:23.660Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24112\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-29T21:21:39.557669Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-08-25\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-08-25T00:00:00+00:00\", \"value\": \"CVE-2022-24112 added to CISA KEV\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-29T21:23:43.697Z\"}}], \"cna\": {\"title\": \"apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"high\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache APISIX\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apache APISIX 2.12\", \"lessThan\": \"2.12.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"Apache APISIX 2.10\", \"lessThan\": \"2.10.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.3\", \"lessThan\": \"Apache APISIX 1*\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"name\": \"[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\\nOr\\n1. upgrade to 2.10.4 or 2.12.1.\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290 Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2022-03-16T18:06:16.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.\"}], \"impact\": [{\"other\": \"high\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_name\": \"Apache APISIX 2.12\", \"version_value\": \"2.12.1\", \"version_affected\": \"\u003c\"}, {\"version_name\": \"Apache APISIX 2.10\", \"version_value\": \"2.10.4\", \"version_affected\": \"\u003c\"}, {\"version_name\": \"Apache APISIX 1\", \"version_value\": \"1.3\", \"version_affected\": \"\u003e=\"}]}, \"product_name\": \"Apache APISIX\"}]}, \"vendor_name\": \"Apache Software Foundation\"}]}}, \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"name\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"name\": \"[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"refsource\": \"MLIST\"}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"name\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"name\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-290 Authentication Bypass by Spoofing\"}]}]}, \"work_around\": [{\"lang\": \"en\", \"value\": \"1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\\nOr\\n1. upgrade to 2.10.4 or 2.12.1.\"}], \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-24112\", \"STATE\": \"PUBLIC\", \"TITLE\": \"apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"ASSIGNER\": \"security@apache.org\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-24112\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T18:45:55.210Z\", \"dateReserved\": \"2022-01-28T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-02-11T12:20:13.000Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2022-12799

Vulnerability from cnvd - Published: 2022-02-20

Title

Apache Apisix远程代码执行漏洞

Description

Apache Apisix是美国阿帕奇（Apache）基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现，具备动态路由和插件热加载，适合微服务体系下的 API 管理。 Apache APISIX中存在远程代码执行漏洞，该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin API的IP限制，容易导致远程代码执行。

Severity

高

Patch Name

Apache Apisix远程代码执行漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24112

Impacted products

Name
['Apache Apache APISIX >=2.11.0，<2.12.1', 'Apache Apache APISIX <2.10.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24112",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112"
    }
  },
  "description": "Apache Apisix\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u4e91\u539f\u751f\u7684\u5fae\u670d\u52a1API\u7f51\u5173\u670d\u52a1\u3002\u8be5\u8f6f\u4ef6\u57fa\u4e8e OpenResty \u548c etcd \u6765\u5b9e\u73b0\uff0c\u5177\u5907\u52a8\u6001\u8def\u7531\u548c\u63d2\u4ef6\u70ed\u52a0\u8f7d\uff0c\u9002\u5408\u5fae\u670d\u52a1\u4f53\u7cfb\u4e0b\u7684 API \u7ba1\u7406\u3002\n\nApache APISIX\u4e2d\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684batch-requests\u63d2\u4ef6\u672a\u5bf9\u7528\u6237\u7684\u6279\u5904\u7406\u8bf7\u6c42\u8fdb\u884c\u6709\u6548\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u7ed5\u8fc7Admin API\u7684IP\u9650\u5236\uff0c\u5bb9\u6613\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-12799",
  "openTime": "2022-02-20",
  "patchDescription": "Apache Apisix\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u4e91\u539f\u751f\u7684\u5fae\u670d\u52a1API\u7f51\u5173\u670d\u52a1\u3002\u8be5\u8f6f\u4ef6\u57fa\u4e8e OpenResty \u548c etcd \u6765\u5b9e\u73b0\uff0c\u5177\u5907\u52a8\u6001\u8def\u7531\u548c\u63d2\u4ef6\u70ed\u52a0\u8f7d\uff0c\u9002\u5408\u5fae\u670d\u52a1\u4f53\u7cfb\u4e0b\u7684 API \u7ba1\u7406\u3002\r\n\r\nApache APISIX\u4e2d\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684batch-requests\u63d2\u4ef6\u672a\u5bf9\u7528\u6237\u7684\u6279\u5904\u7406\u8bf7\u6c42\u8fdb\u884c\u6709\u6548\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u7ed5\u8fc7Admin API\u7684IP\u9650\u5236\uff0c\u5bb9\u6613\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Apisix\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache APISIX \u003e=2.11.0\uff0c\u003c2.12.1",
      "Apache Apache APISIX \u003c2.10.4"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112",
  "serverity": "\u9ad8",
  "submitTime": "2022-02-15",
  "title": "Apache Apisix\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

VAR-202202-0171

Vulnerability from variot - Updated: 2023-12-18 12:49

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. Apache APISIX Exists in spoofing authentication evasion vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plug-in hot loading, suitable for API management under the microservice system. The vulnerability stems from the fact that the batch-requests plugin of the product does not effectively limit the user's batch requests

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202202-0171",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "apisix",
        "scope": "lt",
        "trust": 1.6,
        "vendor": "apache",
        "version": "2.10.4"
      },
      {
        "model": "apisix",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "apache",
        "version": "2.11.0"
      },
      {
        "model": "apisix",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "apache",
        "version": "2.12.1"
      },
      {
        "model": "apisix",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": null
      },
      {
        "model": "apisix",
        "scope": null,
        "trust": 0.8,
        "vendor": "apache",
        "version": null
      },
      {
        "model": "apisix",
        "scope": "gte",
        "trust": 0.6,
        "vendor": "apache",
        "version": "2.11.0,\u003c2.12.1"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.12.1",
                "versionStartIncluding": "2.11.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.10.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Ven3xy",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2022-24112",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2022-24112",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2022-12799",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2022-24112",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2022-24112",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2022-12799",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202202-1030",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2022-24112",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. Apache APISIX Exists in spoofing authentication evasion vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plug-in hot loading, suitable for API management under the microservice system. The vulnerability stems from the fact that the batch-requests plugin of the product does not effectively limit the user\u0027s batch requests",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-24112",
        "trust": 3.9
      },
      {
        "db": "PACKETSTORM",
        "id": "166328",
        "trust": 2.5
      },
      {
        "db": "PACKETSTORM",
        "id": "166228",
        "trust": 2.5
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2022/02/11/3",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799",
        "trust": 0.6
      },
      {
        "db": "CS-HELP",
        "id": "SB2022021408",
        "trust": 0.6
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2022030040",
        "trust": 0.6
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2022030068",
        "trust": 0.6
      },
      {
        "db": "EXPLOIT-DB",
        "id": "50829",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "id": "VAR-202202-0171",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      }
    ],
    "trust": 1.225
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      }
    ]
  },
  "last_update_date": "2023-12-18T12:49:23.972000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "apisix/batch-requests\u00a0plugin\u00a0allows\u00a0overwriting\u00a0the\u00a0X-REAL-IP\u00a0header",
        "trust": 0.8,
        "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
      },
      {
        "title": "Patch for Apache Apisix Remote Code Execution Vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/321071"
      },
      {
        "title": "Apache APISIX Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=181993"
      },
      {
        "title": "CVE-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/udyz/cve-2022-24112 "
      },
      {
        "title": "CVE-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/mah1ndra/cve-2022-24112 "
      },
      {
        "title": "Apache-APISIX-CVE-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/m4xsec/apache-apisix-cve-2022-24112 "
      },
      {
        "title": "cve-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/twseptian/cve-2022-24112 "
      },
      {
        "title": "CVE-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/shakeman8/cve-2022-24112 "
      },
      {
        "title": "CVE-2022-244112",
        "trust": 0.1,
        "url": "https://github.com/mah1ndra/cve-2022-244112 "
      },
      {
        "title": "CVE-2022-24112-POC",
        "trust": 0.1,
        "url": "https://github.com/kavishkagihan/cve-2022-24112-poc "
      },
      {
        "title": "CVE-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/mr-xn/cve-2022-24112 "
      },
      {
        "title": "CVE-2022-24112",
        "trust": 0.1,
        "url": "https://github.com/axx8/cve-2022-24112 "
      },
      {
        "title": "Apache-APISIX-dashboard-RCE",
        "trust": 0.1,
        "url": "https://github.com/greetdawn/apache-apisix-dashboard-rce "
      },
      {
        "title": "FrameVul",
        "trust": 0.1,
        "url": "https://github.com/awrrays/framevul "
      },
      {
        "title": "",
        "trust": 0.1,
        "url": "https://github.com/soosmile/poc "
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-290",
        "trust": 1.0
      },
      {
        "problemtype": "Avoid authentication by spoofing (CWE-290) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.1,
        "url": "http://packetstormsecurity.com/files/166228/apache-apisix-remote-code-execution.html"
      },
      {
        "trust": 3.1,
        "url": "http://packetstormsecurity.com/files/166328/apache-apisix-2.12.1-remote-code-execution.html"
      },
      {
        "trust": 2.0,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24112"
      },
      {
        "trust": 1.7,
        "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
      },
      {
        "trust": 1.7,
        "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
      },
      {
        "trust": 0.6,
        "url": "https://www.exploit-db.com/exploits/50829"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/issue/wlb-2022030040"
      },
      {
        "trust": 0.6,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2022021408"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/issue/wlb-2022030068"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/290.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/udyz/cve-2022-24112"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-02-20T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "date": "2022-02-11T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "date": "2023-06-05T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "date": "2022-02-11T13:15:08.073000",
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "date": "2022-02-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2022-02-21T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2022-12799"
      },
      {
        "date": "2022-05-11T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-24112"
      },
      {
        "date": "2023-06-05T09:23:00",
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      },
      {
        "date": "2022-05-11T14:58:01.343000",
        "db": "NVD",
        "id": "CVE-2022-24112"
      },
      {
        "date": "2022-03-17T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache\u00a0APISIX\u00a0 Spoofing authentication evasion vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2022-005565"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202202-1030"
      }
    ],
    "trust": 0.6
  }
}

GSD-2022-24112

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-24112

Aliases

CVE-2022-24112

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24112",
    "description": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
    "id": "GSD-2022-24112",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2022-24112"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24112"
      ],
      "details": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
      "id": "GSD-2022-24112",
      "modified": "2023-12-13T01:19:43.589800Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-24112",
        "STATE": "PUBLIC",
        "TITLE": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache APISIX",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache APISIX 2.12",
                          "version_value": "2.12.1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache APISIX 2.10",
                          "version_value": "2.10.4"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_name": "Apache APISIX 1",
                          "version_value": "1.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "high"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-290 Authentication Bypass by Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
          },
          {
            "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
          },
          {
            "name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      },
      "work_around": [
        {
          "lang": "eng",
          "value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.12.1",
                "versionStartIncluding": "2.11.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.10.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24112"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-290"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
            },
            {
              "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
            },
            {
              "name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-05-11T14:58Z",
      "publishedDate": "2022-02-11T13:15Z"
    }
  }
}

GHSA-2VC7-6W39-6RH2

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2025-10-22 00:32

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-24112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
  "id": "GHSA-2vc7-6w39-6rh2",
  "modified": "2025-10-22T00:32:29Z",
  "published": "2022-02-12T00:00:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2022-24112

Vulnerability from fkie_nvd - Published: 2022-02-11 13:15 - Updated: 2025-10-23 14:48

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://www.openwall.com/lists/oss-security/2022/02/11/3	Mailing List, Mitigation, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94	Mailing List, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/02/11/3	Mailing List, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94	Mailing List, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	apache	apisix	*
	apache	apisix	*

JSON

To clipboard

{
  "cisaActionDue": "2022-09-15",
  "cisaExploitAdd": "2022-08-25",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Apache APISIX Authentication Bypass Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA41EFA2-1D6E-4D57-89BC-F8A96D684F23",
              "versionEndExcluding": "2.10.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F0B2998-1638-42BC-8585-9AF1E137F4CF",
              "versionEndExcluding": "2.12.1",
              "versionStartIncluding": "2.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
    },
    {
      "lang": "es",
      "value": "Un atacante puede abusar del plugin batch-requests para enviar peticiones para omitir la restricci\u00f3n de IP de la API de administraci\u00f3n. Una configuraci\u00f3n por defecto de Apache APISIX (con la clave API por defecto) es vulnerable a una ejecuci\u00f3n de c\u00f3digo remota. Cuando ha  sido cambiada la clave de administraci\u00f3n o ha sido cambiado el puerto de la API de administraci\u00f3n a un puerto diferente al del panel de datos, el impacto es menor. Pero todav\u00eda se presenta el riesgo de omitir la restricci\u00f3n de IP del panel de datos de Apache APISIX. Se presenta una comprobaci\u00f3n en el plugin de peticiones por lotes que anula la IP del cliente con su IP remota real. Pero debido a un error en el c\u00f3digo, esta comprobaci\u00f3n puede ser omitida"
    }
  ],
  "id": "CVE-2022-24112",
  "lastModified": "2025-10-23T14:48:48.137",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-02-11T13:15:08.073",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-24112 (GCVE-0-2022-24112)

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

CNVD-2022-12799

VAR-202202-0171

GSD-2022-24112

GHSA-2VC7-6W39-6RH2

FKIE_CVE-2022-24112

Tags

Sightings

Nomenclature