An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
Published 2022-02-11 13:15:08
Updated 2022-05-11 14:58:01
View at NVD,   CVE.org
Vulnerability category: Execute code

CVE-2022-24112 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Apache APISIX Authentication Bypass Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.
Notes:
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94; https://nvd.nist.gov/vuln/detail/CVE-2022-24112
Added on 2022-08-25 Action due date 2022-09-15

Exploit prediction scoring system (EPSS) score for CVE-2022-24112

97.41%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-24112

  • APISIX Admin API default access token RCE
    Disclosure Date: 2020-12-07
    First seen: 2022-12-23
    exploit/multi/http/apache_apisix_api_default_token_rce
    Apache APISIX has a default, built-in API token edd1c9f034335f136f87ad84b625c8f1 that can be used to access all of the admin API, which leads to remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerab

CVSS scores for CVE-2022-24112

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2022-24112

  • This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
    Assigned by:
    • nvd@nist.gov (Primary)
    • security@apache.org (Secondary)

References for CVE-2022-24112

Products affected by CVE-2022-24112

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!