Lucene search

AttackerKBAKB:300897EA-9C15-4FC4-9EDE-D9FF9DF626F6

HistoryFeb 11, 2022 - 12:00 a.m.

CVE-2022-24112

2022-02-1100:00:00

attackerkb.com

apache apisix

ip restriction

admin api

remote code execution

bypass

data panel

vulnerability

http header

ssrf

rce

lua code

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.974

Percentile

99.9%

JSON

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Recent assessments:

noraj at March 09, 2022 8:03pm UTC reported:

IP restriction bypass via X-REAL-IP HTTP header then SSRF and RCE on admin route with LUA code executed via scripts

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2