Lucene search
K

276 matches found

RedhatCVE
RedhatCVE
added 2025/05/22 9:55 p.m.11 views

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS7.5AI score0.96182EPSS
Exploits16References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:35 p.m.7 views

CVE-2021-43557

The uri-block plugin in Apache APISIX before 2.10.2 uses $requesturi without verification. The $requesturi is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains...

7.5CVSS6.7AI score0.14589EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/22 9:9 p.m.6 views

CVE-2021-45232

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of framework gin thus bypassing th...

9.8CVSS7AI score0.85943EPSS
Exploits5
RedhatCVE
RedhatCVE
added 2025/05/22 3:10 p.m.9 views

CVE-2020-13945

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5...

6.5CVSS6.7AI score0.72976EPSS
Exploits5
RedhatCVE
RedhatCVE
added 2025/02/14 11:39 a.m.12 views

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.3CVSS6.9AI score0.01065EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2024/11/14 12:0 a.m.10 views

Apache APISIX Dashboard Default Credentials

The scanner successfully authenticated on the Apache APISIX web application by using predictable credentials on its login form. No source data...

7.2AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2024/11/14 12:0 a.m.13 views

Apache APISIX Dashboard < 2.10.1 Authentication Bypass

Apache APISIX Dashboard version prior to 2.10.1 suffers from a vulnerability allowing a remote attacker to bypass authentication and access sensitive resources via a specially forged request. No source data...

9.8CVSS7.4AI score0.85943EPSS
Exploits5References2
OSV
OSV
added 2024/05/04 7:16 a.m.34 views

BIT-APISIX-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.3CVSS6.3AI score0.01065EPSS
Exploits0References3
NVD
NVD
added 2024/05/02 10:15 a.m.18 views

CVE-2024-32638

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.3CVSS6.6AI score0.01065EPSS
Exploits0References2
OSV
OSV
added 2024/05/02 9:20 a.m.4 views

CVE-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.3CVSS6AI score0.01065EPSS
Exploits0References4
Cvelist
Cvelist
added 2024/05/02 9:20 a.m.34 views

CVE-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.8AI score0.01065EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/05/02 9:20 a.m.24 views

CVE-2024-32638 Apache APISIX: Forward-Auth Request Smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Apache APISIX when using forward-auth plugin.This issue affects Apache APISIX: from 3.8.0, 3.9.0. Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which fixes the issue...

6.4AI score0.01065EPSS
Exploits0References2
CVE
CVE
added 2024/05/02 9:20 a.m.119 views

CVE-2024-32638

This CVE (CVE-2024-32638) concerns Apache APISIX and the forward-auth plugin, where an Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) vulnerability exists. Affected versions are APISIX 3.8.0 and 3.9.0; upgrading to 3.8.1, 3.9.1, or newer mitigates the issue. The vulnerabili...

6.3CVSS6.4AI score0.01065EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2024/05/02 12:0 a.m.10 views

Apache APISIX 环境问题漏洞

Apache Apisix is a cloud-native microservices API gateway service from the Apache USA Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plugin hot loading, suitable for API management under the microservice system. An environment issue vulnerability...

6.3CVSS6.7AI score0.01065EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/05/02 12:0 a.m.6 views

PT-2024-24735 · Apache · Apache Apisix

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions 3.8.0 through 3.9.0 Description: The issue is related to an Inconsistent Interpretation of HTTP Requests, also known as 'HTTP Request Smuggling', in Apache APISIX when using the forward-auth plugin. Recommendations: For...

6.3CVSS6.3AI score0.01065EPSS
Exploits0References11
OSV
OSV
added 2024/03/06 10:51 a.m.29 views

BIT-APISIX-2020-13945

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5...

6.5CVSS6.5AI score0.72976EPSS
Exploits5References3
OSV
OSV
added 2024/03/06 10:51 a.m.62 views

BIT-APISIX-2021-43557 Path traversal in request_uri variable

The uri-block plugin in Apache APISIX before 2.10.2 uses $requesturi without verification. The $requesturi is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains...

7.5CVSS7.3AI score0.14589EPSS
Exploits1References5
OSV
OSV
added 2024/03/06 10:51 a.m.30 views

BIT-APISIX-2022-24112 apisix/batch-requests plugin allows overwriting the X-REAL-IP header

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS9.6AI score0.96182EPSS
Exploits16References6
OSV
OSV
added 2024/03/06 10:50 a.m.69 views

BIT-APISIX-2022-25757 Apache APISIX: the body_schema check in request-validation plugin can be bypassed

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the bodyschema validation in the request-validation plugin. For example,...

9.8CVSS9.4AI score0.02384EPSS
Exploits0References3
OSV
OSV
added 2024/03/06 10:50 a.m.58 views

BIT-APISIX_DASHBOARD-2021-33190 Bypass network access control

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limi...

5.3CVSS5.1AI score0.02694EPSS
Exploits0References3
Rows per page
Query Builder