CVE-2021-43557

Name of the Vulnerable Software and Affected Versions Apache APISIX versions prior to 2.10.2

Description The issue is related to the uri-block plugin in Apache APISIX, which uses the $request uri variable without proper verification. This variable contains the full original request URI without normalization, making it possible for an attacker to construct a URI that bypasses the block list. For example, if the block list includes "^/internal/", an attacker could use a URI like "//internal/" to bypass it. This issue may also affect other plugins and custom developer plugins.

Recommendations For Apache APISIX versions prior to 2.10.2, update to version 2.10.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the uri-block plugin until a patch is applied. Additionally, developers should review their custom plugins for similar issues related to the use of the $request uri variable.