Lucene search
K

6 matches found

CVE
CVE
added 2023/10/10 12:0 a.m.5288 views

CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

7.5CVSS8AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2022/02/11 12:20 p.m.1049 views

CVE-2022-24112

CVE-2022-24112 affects Apache APISIX. It arises from the batch-requests plugin, where a bug can bypass the Admin API IP restriction, enabling remote code execution. Exploits/PoCs exist for APISIX 2.12.0–2.12.1 demonstrating RCE via admin API path and Lua code injection in routes, with documented ...

9.8CVSS9.7AI score0.96182EPSS
In wildWeb
CVE
CVE
added 2022/04/20 7:15 a.m.601 views

CVE-2022-29266

Apache APISIX prior to 3.13.1 is affected by an information-disclosure issue in the jwt-auth plugin. The error message returned by the dependency lua-resty-jwt can leak the user’s secret key, enabling leakage of sensitive credentials. Affected product: Apache APISIX (jwt-auth plugin); vulnerable ...

7.5CVSS7.5AI score0.07688EPSS
CVE
CVE
added 2022/03/28 7:0 a.m.126 views

CVE-2022-25757

CVE-2022-25757 (Apache APISIX) affects APISIX up to version 2.12.x before 2.13.0. When decoding JSON with duplicate keys, lua-cjson returns the last value, allowing an attacker to bypass the body_schema validation in the request-validation plugin (e.g., {"string_payload":"bad","string_payload":"g...

9.8CVSS9.5AI score0.02384EPSS
CVE
CVE
added 2021/11/22 8:25 a.m.81 views

CVE-2021-43557

CVE-2021-43557 affects Apache APISIX prior to 2.10.2. The issue is in the uri-block plugin, which uses $request_uri (the full original request URI without normalization) without verification, enabling construction of URIs that can bypass the block list (e.g., a block entry like ^/internal/ could ...

7.5CVSS7.3AI score0.14589EPSS
CVE
CVE
added 2025/07/02 11:8 a.m.25 views

CVE-2025-46647

CVE-2025-46647 concerns Apache APISIX openid-connect plugin (introspection mode) where multiple issuers sharing the same private key can allow a user authenticated to one issuer to access another issuer. Public details from multiple sources specify the vulnerability requires: (1) openid-connect p...

5.3CVSS7.2AI score0.00412EPSS