Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8
CVE-2022-24112
- EPSS 94.44%
- Veröffentlicht 11.02.2022 13:15:08
- Zuletzt bearbeitet 23.10.2025 14:48:48
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the ...
7.5
CVE-2021-43557
- EPSS 58.26%
- Veröffentlicht 22.11.2021 09:15:07
- Zuletzt bearbeitet 21.11.2024 06:29:25
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions....
6.5
CVE-2020-13945
- EPSS 93.43%
- Veröffentlicht 07.12.2020 20:15:12
- Zuletzt bearbeitet 21.11.2024 05:02:12
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.