Vulnerability Details : CVE-2022-24112
Public exploit exists!
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
Vulnerability category: Execute code
CVE-2022-24112 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache APISIX Authentication Bypass Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.
Notes:
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94; https://nvd.nist.gov/vuln/detail/CVE-2022-24112
Added on
2022-08-25
Action due date
2022-09-15
Exploit prediction scoring system (EPSS) score for CVE-2022-24112
97.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-24112
-
APISIX Admin API default access token RCE
Disclosure Date: 2020-12-07First seen: 2022-12-23exploit/multi/http/apache_apisix_api_default_token_rceApache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access all of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerab
CVSS scores for CVE-2022-24112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-24112
-
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2022-24112
-
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94
CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header-Apache Mail ArchivesMailing List;Mitigation;Vendor Advisory
-
http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html
Apache APISIX 2.12.1 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2022/02/11/3
oss-security - CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP headerMailing List;Mitigation;Third Party Advisory
-
http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
Apache APISIX Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2022-24112
- cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*