Vulnerability-Lookup

CVE-2022-24112 (GCVE-0-2022-24112)

Vulnerability from cvelistv5 – Published: 2022-02-11 12:20 – Updated: 2025-10-21 23:15

Title

apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Summary

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Severity ?

No CVSS data available.

CWE

CWE-290 - Authentication Bypass by Spoofing

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/lcdqywz8zy94mdysk…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/02/11/3	mailing-listx_refsource_MLIST
	http://packetstormsecurity.com/files/166228/Apach…	x_refsource_MISC
	http://packetstormsecurity.com/files/166328/Apach…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache APISIX	Affected: Apache APISIX 2.12 , < 2.12.1 (custom) Affected: Apache APISIX 2.10 , < 2.10.4 (custom) Affected: 1.3 , < Apache APISIX 1* (custom)

Credits

Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:59:23.660Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
          },
          {
            "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-24112",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T21:21:39.557669Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-08-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:46.674Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-08-25T00:00:00.000Z",
            "value": "CVE-2022-24112 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache APISIX",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.12.1",
              "status": "affected",
              "version": "Apache APISIX 2.12",
              "versionType": "custom"
            },
            {
              "lessThan": "2.10.4",
              "status": "affected",
              "version": "Apache APISIX 2.10",
              "versionType": "custom"
            },
            {
              "lessThan": "Apache APISIX 1*",
              "status": "affected",
              "version": "1.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-16T18:06:16.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
        },
        {
          "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
      "workarounds": [
        {
          "lang": "en",
          "value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24112",
          "STATE": "PUBLIC",
          "TITLE": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache APISIX",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache APISIX 2.12",
                            "version_value": "2.12.1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache APISIX 2.10",
                            "version_value": "2.10.4"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "Apache APISIX 1",
                            "version_value": "1.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "high"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-290 Authentication Bypass by Spoofing"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
            },
            {
              "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
            },
            {
              "name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-24112",
    "datePublished": "2022-02-11T12:20:13.000Z",
    "dateReserved": "2022-01-28T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:46.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-24112",
      "cwes": "[\"CWE-290\"]",
      "dateAdded": "2022-08-25",
      "dueDate": "2022-09-15",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94;  https://nvd.nist.gov/vuln/detail/CVE-2022-24112",
      "product": "APISIX",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.",
      "vendorProject": "Apache",
      "vulnerabilityName": "Apache APISIX Authentication Bypass Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"name\": \"[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:59:23.660Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24112\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-29T21:21:39.557669Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-08-25\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-08-25T00:00:00.000Z\", \"value\": \"CVE-2022-24112 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-29T21:23:43.697Z\"}}], \"cna\": {\"title\": \"apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"high\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache APISIX\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apache APISIX 2.12\", \"lessThan\": \"2.12.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"Apache APISIX 2.10\", \"lessThan\": \"2.10.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.3\", \"lessThan\": \"Apache APISIX 1*\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"name\": \"[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"tags\": [\"x_refsource_MISC\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\\nOr\\n1. upgrade to 2.10.4 or 2.12.1.\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290 Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2022-03-16T18:06:16.000Z\"}, \"x_legacyV4Record\": {\"credit\": [{\"lang\": \"eng\", \"value\": \"Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.\"}], \"impact\": [{\"other\": \"high\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_name\": \"Apache APISIX 2.12\", \"version_value\": \"2.12.1\", \"version_affected\": \"\u003c\"}, {\"version_name\": \"Apache APISIX 2.10\", \"version_value\": \"2.10.4\", \"version_affected\": \"\u003c\"}, {\"version_name\": \"Apache APISIX 1\", \"version_value\": \"1.3\", \"version_affected\": \"\u003e=\"}]}, \"product_name\": \"Apache APISIX\"}]}, \"vendor_name\": \"Apache Software Foundation\"}]}}, \"data_type\": \"CVE\", \"generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"references\": {\"reference_data\": [{\"url\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"name\": \"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/3\", \"name\": \"[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"refsource\": \"MLIST\"}, {\"url\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"name\": \"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\", \"refsource\": \"MISC\"}, {\"url\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"name\": \"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-290 Authentication Bypass by Spoofing\"}]}]}, \"work_around\": [{\"lang\": \"en\", \"value\": \"1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\\nOr\\n1. upgrade to 2.10.4 or 2.12.1.\"}], \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-24112\", \"STATE\": \"PUBLIC\", \"TITLE\": \"apisix/batch-requests plugin allows overwriting the X-REAL-IP header\", \"ASSIGNER\": \"security@apache.org\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-24112\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:46.674Z\", \"dateReserved\": \"2022-01-28T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-02-11T12:20:13.000Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-2VC7-6W39-6RH2

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2025-10-22 00:32

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-24112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
  "id": "GHSA-2vc7-6w39-6rh2",
  "modified": "2025-10-22T00:32:29Z",
  "published": "2022-02-12T00:00:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2022-12799

Vulnerability from cnvd - Published: 2022-02-20

Title

Apache Apisix远程代码执行漏洞

Description

Apache Apisix是美国阿帕奇（Apache）基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现，具备动态路由和插件热加载，适合微服务体系下的 API 管理。 Apache APISIX中存在远程代码执行漏洞，该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin API的IP限制，容易导致远程代码执行。

Severity

高

Patch Name

Apache Apisix远程代码执行漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24112

Impacted products

Name
['Apache Apache APISIX >=2.11.0，<2.12.1', 'Apache Apache APISIX <2.10.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24112",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112"
    }
  },
  "description": "Apache Apisix\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u4e91\u539f\u751f\u7684\u5fae\u670d\u52a1API\u7f51\u5173\u670d\u52a1\u3002\u8be5\u8f6f\u4ef6\u57fa\u4e8e OpenResty \u548c etcd \u6765\u5b9e\u73b0\uff0c\u5177\u5907\u52a8\u6001\u8def\u7531\u548c\u63d2\u4ef6\u70ed\u52a0\u8f7d\uff0c\u9002\u5408\u5fae\u670d\u52a1\u4f53\u7cfb\u4e0b\u7684 API \u7ba1\u7406\u3002\n\nApache APISIX\u4e2d\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684batch-requests\u63d2\u4ef6\u672a\u5bf9\u7528\u6237\u7684\u6279\u5904\u7406\u8bf7\u6c42\u8fdb\u884c\u6709\u6548\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u7ed5\u8fc7Admin API\u7684IP\u9650\u5236\uff0c\u5bb9\u6613\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-12799",
  "openTime": "2022-02-20",
  "patchDescription": "Apache Apisix\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u4e91\u539f\u751f\u7684\u5fae\u670d\u52a1API\u7f51\u5173\u670d\u52a1\u3002\u8be5\u8f6f\u4ef6\u57fa\u4e8e OpenResty \u548c etcd \u6765\u5b9e\u73b0\uff0c\u5177\u5907\u52a8\u6001\u8def\u7531\u548c\u63d2\u4ef6\u70ed\u52a0\u8f7d\uff0c\u9002\u5408\u5fae\u670d\u52a1\u4f53\u7cfb\u4e0b\u7684 API \u7ba1\u7406\u3002\r\n\r\nApache APISIX\u4e2d\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684batch-requests\u63d2\u4ef6\u672a\u5bf9\u7528\u6237\u7684\u6279\u5904\u7406\u8bf7\u6c42\u8fdb\u884c\u6709\u6548\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u7ed5\u8fc7Admin API\u7684IP\u9650\u5236\uff0c\u5bb9\u6613\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Apisix\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache APISIX \u003e=2.11.0\uff0c\u003c2.12.1",
      "Apache Apache APISIX \u003c2.10.4"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112",
  "serverity": "\u9ad8",
  "submitTime": "2022-02-15",
  "title": "Apache Apisix\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

GSD-2022-24112

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-24112

Aliases

CVE-2022-24112

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24112",
    "description": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
    "id": "GSD-2022-24112",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2022-24112"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24112"
      ],
      "details": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
      "id": "GSD-2022-24112",
      "modified": "2023-12-13T01:19:43.589800Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-24112",
        "STATE": "PUBLIC",
        "TITLE": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache APISIX",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache APISIX 2.12",
                          "version_value": "2.12.1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache APISIX 2.10",
                          "version_value": "2.10.4"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_name": "Apache APISIX 1",
                          "version_value": "1.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {
          "other": "high"
        }
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-290 Authentication Bypass by Spoofing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
          },
          {
            "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
          },
          {
            "name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
          },
          {
            "name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      },
      "work_around": [
        {
          "lang": "eng",
          "value": "1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`)\nOr\n1. upgrade to 2.10.4 or 2.12.1."
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.12.1",
                "versionStartIncluding": "2.11.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.10.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24112"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-290"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
            },
            {
              "name": "[oss-security] 20220211 CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
            },
            {
              "name": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-05-11T14:58Z",
      "publishedDate": "2022-02-11T13:15Z"
    }
  }
}

FKIE_CVE-2022-24112

Vulnerability from fkie_nvd - Published: 2022-02-11 13:15 - Updated: 2025-10-23 14:48

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://www.openwall.com/lists/oss-security/2022/02/11/3	Mailing List, Mitigation, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94	Mailing List, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/02/11/3	Mailing List, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94	Mailing List, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112	Third Party Advisory, US Government Resource

Impacted products

	Vendor	Product	Version
	apache	apisix	*
	apache	apisix	*

JSON

To clipboard

{
  "cisaActionDue": "2022-09-15",
  "cisaExploitAdd": "2022-08-25",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Apache APISIX Authentication Bypass Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA41EFA2-1D6E-4D57-89BC-F8A96D684F23",
              "versionEndExcluding": "2.10.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F0B2998-1638-42BC-8585-9AF1E137F4CF",
              "versionEndExcluding": "2.12.1",
              "versionStartIncluding": "2.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed."
    },
    {
      "lang": "es",
      "value": "Un atacante puede abusar del plugin batch-requests para enviar peticiones para omitir la restricci\u00f3n de IP de la API de administraci\u00f3n. Una configuraci\u00f3n por defecto de Apache APISIX (con la clave API por defecto) es vulnerable a una ejecuci\u00f3n de c\u00f3digo remota. Cuando ha  sido cambiada la clave de administraci\u00f3n o ha sido cambiado el puerto de la API de administraci\u00f3n a un puerto diferente al del panel de datos, el impacto es menor. Pero todav\u00eda se presenta el riesgo de omitir la restricci\u00f3n de IP del panel de datos de Apache APISIX. Se presenta una comprobaci\u00f3n en el plugin de peticiones por lotes que anula la IP del cliente con su IP remota real. Pero debido a un error en el c\u00f3digo, esta comprobaci\u00f3n puede ser omitida"
    }
  ],
  "id": "CVE-2022-24112",
  "lastModified": "2025-10-23T14:48:48.137",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-02-11T13:15:08.073",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2022-24112

Vulnerability from fstec - Published: 11.02.2022

Title

Уязвимость облачного API-шлюза Apache APISIX, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость облачного API-шлюза Apache APISIX связана с обходом аутентификации посредством спуфинга. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Apache Software Foundation

Software Name

APISIX

Software Version

до 2.10.4 (APISIX), от 2.11.0 до 2.12.1 (APISIX)

Possible Mitigations

Использование рекомендаций: https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24112 https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94 http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

CWE

CWE-290

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Apache Software Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 2.10.4 (APISIX), \u043e\u0442 2.11.0 \u0434\u043e 2.12.1 (APISIX)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "11.02.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "18.05.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-03010",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-24112",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "APISIX",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0431\u043b\u0430\u0447\u043d\u043e\u0433\u043e API-\u0448\u043b\u044e\u0437\u0430 Apache APISIX, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0441\u043f\u0443\u0444\u0438\u043d\u0433\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0431\u0445\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0441\u043f\u0443\u0444\u0438\u043d\u0433\u0430 (CWE-290)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0431\u043b\u0430\u0447\u043d\u043e\u0433\u043e API-\u0448\u043b\u044e\u0437\u0430 Apache APISIX \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0441\u043f\u0443\u0444\u0438\u043d\u0433\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112\nhttps://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94\nhttp://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-290",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

bit-apisix-2022-24112

Vulnerability from bitnami_vulndb

Published

2024-03-06 10:51

Modified

2025-10-22 09:08

Summary

apisix/batch-requests plugin allows overwriting the X-REAL-IP header

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "apisix",
        "purl": "pkg:bitnami/apisix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.4"
            },
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.12.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24112"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
  },
  "details": "An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX\u0027s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.",
  "id": "BIT-apisix-2022-24112",
  "modified": "2025-10-22T09:08:25.162Z",
  "published": "2024-03-06T10:51:05.969Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/3"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24112"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "apisix/batch-requests plugin allows overwriting the X-REAL-IP header"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-24112 (GCVE-0-2022-24112)

GHSA-2VC7-6W39-6RH2

CNVD-2022-12799

GSD-2022-24112

FKIE_CVE-2022-24112

CVE-2022-24112

bit-apisix-2022-24112

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature