Apache Apisix 安全漏洞

Apache APISIX is a cloud-native microservices API gateway service provided by the Apache Foundation in the United States. This software is implemented based on OpenResty and etcd, featuring dynamic routing and hot loading of plugins. It is suitable for API management within microservice systems...

EUVD-2025-19707

Malicious code in bioql PyPI...

EUVD-2025-14884

Malicious code in bioql PyPI...

CVE-2025-46647

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3...

BIT-APISIX-2025-46647 Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3...

CVE-2025-46647

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3...

CVE-2025-46647 Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3...

CVE-2025-46647

CVE-2025-46647 concerns Apache APISIX openid-connect plugin (introspection mode) where multiple issuers sharing the same private key can allow a user authenticated to one issuer to access another issuer. Public details from multiple sources specify the vulnerability requires: (1) openid-connect p...

CVE-2025-46647 Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3...

PT-2025-27623 · Apache · Apache Apisix

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions prior to 3.12.0 Description: A vulnerability in the openid-connect plugin of Apache APISIX allows an attacker with a valid account on one issuer to log into another issuer, given certain conditions. These conditions...

CVE-2021-24214

The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error when output back in the login form, leading to a reflected Cross-Site Scripting issue. This issue does not require authentication and can be exploited with the default configuration...

Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID Tokens

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a...

PT-2025-21237 · Jenkins · Jenkins Openid Connect Provider Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins OpenID Connect Provider Plugin versions 96.vee8ed882ec4d and earlier Description: The issue concerns the generation of build ID Tokens, which uses potentially overridden values of environment variables. This can be exploited by...

CVE-2024-52553

Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b6d and earlier does not invalidate the previous session on login...

CVE-2023-50770

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining...

CVE-2023-50771

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks...

PT-2019-11319 · Jenkins · Jenkins Openid Connect Authentication Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins OpenId Connect Authentication Plugin versions 1.4 and earlier Description: A sensitive information exposure issue exists, allowing attackers who can view a Jenkins administrator's web browser output or control the browser to retrieve...