Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Apache Apisix Security Vulnerabilities

cve
cve

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the...

6.8AI Score

0.0004EPSS

2024-05-02 10:15 AM
33
cve
cve

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive...

7.5CVSS

7.5AI Score

0.001EPSS

2022-04-20 08:15 AM
548
2
cve
cve

CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example,...

9.8CVSS

9.3AI Score

0.004EPSS

2022-03-28 07:15 AM
67
cve
cve

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port...

9.8CVSS

9.5AI Score

0.974EPSS

2022-02-11 01:15 PM
802
In Wild
2
cve
cve

CVE-2021-45232

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of framework gin thus bypassing the....

9.8CVSS

9.4AI Score

0.972EPSS

2021-12-27 03:15 PM
99
2
cve
cve

CVE-2021-43557

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains...

7.5CVSS

7.3AI Score

0.002EPSS

2021-11-22 09:15 AM
31
cve
cve

CVE-2021-33190

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network...

5.3CVSS

5.2AI Score

0.002EPSS

2021-06-08 03:15 PM
20
cve
cve

CVE-2020-13945

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4,...

6.5CVSS

6.5AI Score

0.009EPSS

2020-12-07 08:15 PM
47