CVE-2022-24112
published 2022-02-11CVE-2022-24112: An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apisix | < 2.10.4 | 2.10.4 |
| apache | apisix | >= 2.11.0 < 2.12.1 | 2.12.1 |
| apache_software_foundation | apache_apisix | >= 1.3 < Apache APISIX 1* | Apache APISIX 1* |
| apache_software_foundation | apache_apisix | >= Apache APISIX 2.10 < 2.10.4 | 2.10.4 |
| apache_software_foundation | apache_apisix | >= Apache APISIX 2.12 < 2.12.1 | 2.12.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL