cve-2022-25757
Vulnerability from cvelistv5
Published
2022-03-28 07:00
Modified
2024-08-03 04:49
Severity ?
Summary
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.
References
security@apache.orghttp://www.openwall.com/lists/oss-security/2022/03/28/2Mailing List, Third Party Advisory
security@apache.orghttps://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fvMailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2022/03/28/2Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fvMailing List, Vendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:49:43.256Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"
          },
          {
            "name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache APISIX",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.12.1",
              "status": "affected",
              "version": "Apache APISIX",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks for Guangli Dong from www.huoxian.cn"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-28T11:06:08",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"
        },
        {
          "name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
      "workarounds": [
        {
          "lang": "en",
          "value": "1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin\n2. add additional validation in the application code, embrace defensive programming"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-25757",
          "STATE": "PUBLIC",
          "TITLE": "Apache APISIX: the body_schema check in request-validation plugin can be bypassed"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache APISIX",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache APISIX",
                            "version_value": "2.12.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks for Guangli Dong from www.huoxian.cn"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"
            },
            {
              "name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin\n2. add additional validation in the application code, embrace defensive programming"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-25757",
    "datePublished": "2022-03-28T07:00:16",
    "dateReserved": "2022-02-22T00:00:00",
    "dateUpdated": "2024-08-03T04:49:43.256Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.13.0\", \"matchCriteriaId\": \"A98786C4-0B1A-4E17-93EF-9FE47819FF3F\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\\\"string_payload\\\":\\\"bad\\\",\\\"string_payload\\\":\\\"good\\\"}` can be used to hide the \\\"bad\\\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.\"}, {\"lang\": \"es\", \"value\": \"En Apache APISIX versiones anteriores a 2.13.0, cuando es decodificado JSON con claves duplicadas, lua-cjson elegir\\u00e1 como resultado el \\u00faltimo valor ocurrido. Al pasar un JSON con una clave duplicada, el atacante puede omitir la comprobaci\\u00f3n body_schema en el plugin de comprobaci\\u00f3n de peticiones. Por ejemplo, \\\"{\\\"string_payload\\\": \\\"bad\\\", \\\"string_payload\\\": \\\"good\\\"}\\\" puede usarse para ocultar la entrada \\\"bad\\\". Los sistemas que cumplen las tres condiciones siguientes est\\u00e1n afectados por este ataque: 1. usar la comprobaci\\u00f3n body_schema en el plugin de comprobaci\\u00f3n de peticiones 2. la aplicaci\\u00f3n upstream usa una librer\\u00eda JSON especial que elige el primer valor ocurrido, como jsoniter o gojay 3. la aplicaci\\u00f3n upstream ya no comprueba la entrada. La soluci\\u00f3n en APISIX es recodificar la entrada JSON comprobada en el cuerpo de la petici\\u00f3n en el lado de APISIX. Una vulnerabilidad de comprobaci\\u00f3n de entrada inapropiada en __COMPONENT__ de Apache APISIX permite a un atacante __IMPACT__. Este problema afecta a Apache APISIX versiones 2.12.1 y anteriores\"}]",
      "id": "CVE-2022-25757",
      "lastModified": "2024-11-21T06:52:56.853",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-28T07:15:06.730",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/03/28/2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/03/28/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-25757\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-03-28T07:15:06.730\",\"lastModified\":\"2024-11-21T06:52:56.853\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\\\"string_payload\\\":\\\"bad\\\",\\\"string_payload\\\":\\\"good\\\"}` can be used to hide the \\\"bad\\\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.\"},{\"lang\":\"es\",\"value\":\"En Apache APISIX versiones anteriores a 2.13.0, cuando es decodificado JSON con claves duplicadas, lua-cjson elegir\u00e1 como resultado el \u00faltimo valor ocurrido. Al pasar un JSON con una clave duplicada, el atacante puede omitir la comprobaci\u00f3n body_schema en el plugin de comprobaci\u00f3n de peticiones. Por ejemplo, \\\"{\\\"string_payload\\\": \\\"bad\\\", \\\"string_payload\\\": \\\"good\\\"}\\\" puede usarse para ocultar la entrada \\\"bad\\\". Los sistemas que cumplen las tres condiciones siguientes est\u00e1n afectados por este ataque: 1. usar la comprobaci\u00f3n body_schema en el plugin de comprobaci\u00f3n de peticiones 2. la aplicaci\u00f3n upstream usa una librer\u00eda JSON especial que elige el primer valor ocurrido, como jsoniter o gojay 3. la aplicaci\u00f3n upstream ya no comprueba la entrada. La soluci\u00f3n en APISIX es recodificar la entrada JSON comprobada en el cuerpo de la petici\u00f3n en el lado de APISIX. Una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada en __COMPONENT__ de Apache APISIX permite a un atacante __IMPACT__. Este problema afecta a Apache APISIX versiones 2.12.1 y anteriores\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.13.0\",\"matchCriteriaId\":\"A98786C4-0B1A-4E17-93EF-9FE47819FF3F\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/03/28/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/03/28/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.