CVE-2022-24112
Description
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
Severity: CRITICAL
CVE ID: CVE-2022-24112
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Proof Of Concept
Nuclei Templates for CVE-2022-24112
Refrence: Project Discovery GitHub
Mr-xn
CVE-2022-24112:Apache APISIX apisix/batch-requests RCE
Refrence: GitHub
Udyz
Apache APISIX apisix/batch-requests RCE
Refrence: GitHub
Axx8
Apache APISIX batch-requests RCE(CVE-2022-24112)
Refrence: GitHub
Mah1ndra
CVE-2022-24112: Apache APISIX Remote Code Execution Vulnerability
Refrence: GitHub
M4xSec
Apache APISIX Remote Code Execution (CVE-2022-24112) proof of concept exploit
Refrence: GitHub
kavishkagihan
Apache APISIX 2.12.1 Remote Code Execution by IP restriction bypass and using default admin AIP token
Refrence: GitHub
twseptian
Apache APISIX < 2.12.1 Remote Code Execution and Docker Lab
Refrence: GitHub
Acczdy
CVE-2022-24112_POC
Refrence: GitHub
wshepherd0010
Refrence: GitHub