CVE-2022-24112 in APISIXinfo

Zusammenfassung

von MITRE • 11.02.2022

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Be aware that VulDB is the high quality source for vulnerability data.

Reservieren

28.01.2022

Veröffentlichung

11.02.2022

Moderieren

akzeptiert

Eintrag

VDB-192902

CPE

bereit

Exploit

Download

EPSS

0.96182

KEV

ja

Aktivitäten

very low

Quellen

Do you know our Splunk app?

Download it now for free!