Apisix@* Security Vulnerabilities and Issues — Apisix@* CVE List

Lucene search

ApacheApisix*

3 matches found

CVE•added 2022/02/11 1:15 p.m.•984 views

CVE-2022-24112

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS9.7AI score0.9434EPSS

CVE•added 2022/04/20 8:15 a.m.•584 views

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.

7.5CVSS7.5AI score0.35102EPSS

CVE•added 2022/03/28 7:15 a.m.•109 views

CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, {"string_payload":"bad","str...

9.8CVSS9.5AI score0.00402EPSS