Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

Exploit for Authentication Bypass by Spoofing in Apache Apisix

Apache APISIX Remote Code Execution CVE-2022-24112 Exploit...

Apache Apisix Remote Code Execution Vulnerability

Apache Apisix is a cloud-native microservice API gateway service from the Apache Foundation. The software is based on OpenResty and etcd to realize , with dynamic routing and plug-in hot loading , suitable for microservice system under the API management . A remote code execution vulnerability...

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

Default configuration

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

CVE-2022-24112

CVE-2022-24112 affects Apache APISIX. It arises from the batch-requests plugin, where a bug can bypass the Admin API IP restriction, enabling remote code execution. Exploits/PoCs exist for APISIX 2.12.0–2.12.1 demonstrating RCE via admin API path and Lua code injection in routes, with documented ...

PT-2022-2569

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions 2.12.1 Description: The issue concerns an authentication bypass vulnerability in Apache APISIX, where an attacker can exploit the batch-requests plugin to send requests and bypass the IP restriction of the Admin API. Th...

Apache APISIX 安全漏洞

Apache Apisix is a cloud-native microservice API gateway service from the Apache Foundation. The software is based on OpenResty and etcd to realize , with dynamic routing and plug-in hot loading , suitable for microservice system under the API management . A remote code execution vulnerability...