China National Vulnerability DatabaseCNVD-2022-12799Apache Apisix Remote Code Execution Vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Apache Apisix is a cloud-native microservices API gateway service from the Apache Foundation. A remote code execution vulnerability exists in Apache APISIX, which stems from the productโs batch-requests plugin not effectively limiting batch requests to users. An attacker could bypass the Admin APIโs IP restrictions through this vulnerability, which could easily lead to remote code execution.
| CPE | Name | Operator | Version |
|---|---|---|---|
| Apache Apache APISIX >=2.11.0๏ผ | lt | 2.12.1 | |
| Apache Apache APISIX | lt | 2.10.4 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P