oss-sec mailing list archives
CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header
From: Zexuan Luo <spacewander () apache org>
Date: Fri, 11 Feb 2022 16:51:21 +0800
Severity: high Description: An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. Mitigation: 1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`) Or 1. upgrade to 2.10.4 or 2.12.1. Credit: Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.
Current thread:
- CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header Zexuan Luo (Feb 11)