CVE-2022-24112

Apache APISIX Authentication Bypass Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Un atacante puede abusar del plugin batch-requests para enviar peticiones para omitir la restricción de IP de la API de administración. Una configuración por defecto de Apache APISIX (con la clave API por defecto) es vulnerable a una ejecución de código remota. Cuando ha sido cambiada la clave de administración o ha sido cambiado el puerto de la API de administración a un puerto diferente al del panel de datos, el impacto es menor. Pero todavía se presenta el riesgo de omitir la restricción de IP del panel de datos de Apache APISIX. Se presenta una comprobación en el plugin de peticiones por lotes que anula la IP del cliente con su IP remota real. Pero debido a un error en el código, esta comprobación puede ser omitida

Apache APISIX version 2.12.1 suffers from a remote code execution vulnerability.

Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution.

*Credits: Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-07 First Exploit
2022-01-28 CVE Reserved
2022-02-11 CVE Published
2022-08-25 Exploited in Wild
2022-09-15 KEV Due Date
2024-08-03 CVE Updated
2024-09-17 EPSS Updated

CWE

CWE-290: Authentication Bypass by Spoofing

CAPEC

References (16)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/02/11/3	Mailing List
https://github.com/apache/apisix/pull/2244
https://seclists.org/oss-sec/2020/q4/187
https://www.openwall.com/lists/oss-security/2022/02/11/3

URL	Date	SRC
https://www.exploit-db.com/exploits/50829	2022-03-16
https://github.com/Mr-xn/CVE-2022-24112	2022-02-22
https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112	2022-03-16
https://github.com/Axx8/CVE-2022-24112	2022-02-25
https://github.com/Mah1ndra/CVE-2022-24112	2022-03-08
https://github.com/CrackerCat/CVE-2022-24112	2022-02-22
https://github.com/wshepherd0010/CVE-2022-24112-Lab	2023-04-06
https://github.com/kavishkagihan/CVE-2022-24112-POC	2022-03-17
http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html	2024-08-03
http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html	2024-08-03
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/apache_apisix_api_default_token_rce.rb	2020-12-07

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94	2022-05-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Apisix Search vendor "Apache" for product "Apisix"				< 2.10.4 Search vendor "Apache" for product "Apisix" and version " < 2.10.4"		-		Affected
Apache Search vendor "Apache"		Apisix Search vendor "Apache" for product "Apisix"				>= 2.11.0 < 2.12.1 Search vendor "Apache" for product "Apisix" and version " >= 2.11.0 < 2.12.1"		-		Affected