CVSS: 7.5EPSS: 81%CPEs: 444EXPL: 7CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29266 – apisix/jwt-auth may leak secrets in error response
https://notcve.org/view.php?id=CVE-2022-29266
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. En APache APISIX antes de la versión 3.13.1, el plugin jwt-auth tiene un problema de seguridad que filtra la clave secreta del usuario porque el mensaje de error devuelto por la dependencia lua-resty-jwt contiene información sensible • http://www.openwall.com/lists/oss-security/2022/04/20/1 https://lists.apache.org/thread/6qpfyxogbvn18g9xr8g218jjfjbfsbhr • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25757 – Apache APISIX: the body_schema check in request-validation plugin can be bypassed
https://notcve.org/view.php?id=CVE-2022-25757
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. • http://www.openwall.com/lists/oss-security/2022/03/28/2 https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 97%CPEs: 2EXPL: 11CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-24112
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. • https://www.exploit-db.com/exploits/50829 https://github.com/Mr-xn/CVE-2022-24112 https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112 https://github.com/Axx8/CVE-2022-24112 https://github.com/Mah1ndra/CVE-2022-24112 https://github.com/CrackerCat/CVE-2022-24112 https://github.com/wshepherd0010/CVE-2022-24112-Lab https://github.com/kavishkagihan/CVE-2022-24112-POC http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html http://packetstormsecurity.com&# • CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2021-43557 – Path traversal in request_uri variable
https://notcve.org/view.php?id=CVE-2021-43557
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. • https://github.com/xvnpw/k8s-CVE-2021-43557-poc http://www.openwall.com/lists/oss-security/2021/11/22/1 http://www.openwall.com/lists/oss-security/2021/11/22/2 http://www.openwall.com/lists/oss-security/2021/11/23/1 https://lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •