Tiernan Messmer

Name of the Vulnerable Software and Affected Versions: Apache APISIX versions prior to 3.12.0 Description: A vulnerability in the openid-connect plugin of Apache APISIX allows an attacker with a valid account on one issuer to log into another issuer, given certain conditions. These conditions include using the openid-connect plugin with introspection mode, the auth service being connected to multiple issuers, and these issuers sharing the same private key while relying solely on different issuers. Recommendations: For versions prior to 3.12.0, upgrade to version 3.12.0 or higher. As a temporary workaround, consider restricting the use of the openid-connect plugin with introspection mode until the upgrade is applied.