You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apisix.apache.org by Zexuan Luo <sp...@apache.org> on 2022/02/11 08:51:21 UTC

CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Severity: high

Description:

An attacker can abuse the batch-requests plugin to send requests to
bypass the IP restriction of Admin API.
A default configuration of Apache APISIX (with default API key) is
vulnerable to remote code execution.
When the admin key was changed or the port of Admin API was changed to
a port different from the data panel, the impact is lower. But there
is still a risk to bypass the IP restriction of Apache APISIX's data
panel.

There is a check in the batch-requests plugin which overrides the
client IP with its real remote IP. But due to a bug in the code, this
check can be bypassed.

Mitigation:

1. explicitly configure the enabled plugins in `conf/config.yaml`,
ensure `batch-requests` is disabled. (Or just comment out
`batch-requests` in `conf/config-default.yaml`)
Or
1. upgrade to 2.10.4 or 2.12.1.

Credit:

Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.