← back
CVE-2022-24112

apisix/batch-requests plugin allows overwriting the X-REAL-IP header

CVSS 9.8 CRITICALEPSS 96.2%● KEVCWE-290
In short

The batch-requests plugin in Apache APISIX has a flaw that allows attackers to bypass IP address restrictions and potentially execute code on the server. By manipulating requests, an attacker can impersonate a trusted IP address and gain unauthorized access to the Admin API.

Technical detail

The batch-requests plugin attempts to validate client IP addresses by overriding them with the real remote IP; however, a logic error in this validation allows attackers to bypass the check via crafted batch requests. This enables unauthorized access to the Admin API, and when default credentials are in place, can lead to remote code execution. Requires network access to the APISIX instance.

Summary generated and translated by AI from the official description.
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache APISIX
public PoCs found13
githubgithub.com/Mr-xn/CVE-2022-2411243githubgithub.com/M4xSec/Apache-APISIX-CVE-2022-2411215githubgithub.com/twseptian/cve-2022-241129githubgithub.com/SecNN/CVE-2022-241128githubgithub.com/Mah1ndra/CVE-2022-241127githubgithub.com/Acczdy/CVE-2022-24112_POC5githubgithub.com/kavishkagihan/CVE-2022-24112-POC2githubgithub.com/btar1gan/exploit_CVE-2022-241121githubgithub.com/CrackerCat/CVE-2022-241120githubgithub.com/fatkz/CVE-2022-241120exploitdbwww.exploit-db.com/exploits/50829unverifiedcve_referencepacketstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.htmlhttps://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112http://www.openwall.com/lists/oss-security/2022/02/11/3