Bitnami package
apisix
pkg:bitnami/apisix
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-29266 | — | < 2.13.1 | 2.13.1 | Apr 20, 2022 | In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. | ||
| CVE-2022-25757 | — | < 2.13.0 | 2.13.0 | Mar 28, 2022 | In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string | ||
| CVE-2022-24112 | — | KEV | < 2.10.4 | 2.10.4 | Feb 11, 2022 | An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed | |
| CVE-2021-43557 | — | < 2.10.2 | 2.10.2 | Nov 22, 2021 | The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block | ||
| CVE-2020-13945 | — | >= 1.2.0, < 1.5.1 | 1.5.1 | Dec 7, 2020 | In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5. |
- CVE-2022-29266Apr 20, 2022affected < 2.13.1fixed 2.13.1
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information.
- CVE-2022-25757Mar 28, 2022affected < 2.13.0fixed 2.13.0
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string
- affected < 2.10.4fixed 2.10.4
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed
- CVE-2021-43557Nov 22, 2021affected < 2.10.2fixed 2.10.2
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block
- CVE-2020-13945Dec 7, 2020affected >= 1.2.0, < 1.5.1fixed 1.5.1
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
Page 2 of 2