What is the vulnerability ID for the Apache APISIX Authentication Bypass Vulnerability?

The vulnerability ID for the Apache APISIX Authentication Bypass Vulnerability is CVE-2022-24112.

What is the severity of CVE-2022-24112?

The severity of CVE-2022-24112 is critical with a CVSS score of 9.8.

Which software is affected by CVE-2022-24112?

Apache APISIX versions up to 2.10.4 and versions between 2.11.0 and 2.12.1 are affected by CVE-2022-24112.

Are there any references for CVE-2022-24112?

Yes, you can find references for CVE-2022-24112 at the following links: [Link 1](https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94), [Link 2](http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html), [Link 3](http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html)

Vulnerability/
CVE-2022-24112

Exploited

critical

9.8

CWE

290

11/2/2022

11/5/2022

CVE-2022-24112: Apache APISIX Authentication Bypass Vulnerability

First published: Fri Feb 11 2022(Updated: )

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache APISIX
Apache APISIX	<2.10.4
Apache APISIX	>=2.11.0<2.12.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for the Apache APISIX Authentication Bypass Vulnerability?
The vulnerability ID for the Apache APISIX Authentication Bypass Vulnerability is CVE-2022-24112.
What is the severity of CVE-2022-24112?
The severity of CVE-2022-24112 is critical with a CVSS score of 9.8.
How can an attacker exploit CVE-2022-24112?
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API, leading to remote code execution.
Which software is affected by CVE-2022-24112?
Apache APISIX versions up to 2.10.4 and versions between 2.11.0 and 2.12.1 are affected by CVE-2022-24112.
Are there any references for CVE-2022-24112?
Yes, you can find references for CVE-2022-24112 at the following links: [Link 1](https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94), [Link 2](http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html), [Link 3](http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html)

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
agent/weakness
exploited/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup
collector/nvd-index
vendor/apache
canonical/apache apisix
version/apache apisix/2.11.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.