CVE-2022-24112

Name of the Vulnerable Software and Affected Versions Apache APISIX versions 2.12.1

Description The issue concerns an authentication bypass vulnerability in Apache APISIX, where an attacker can exploit the batch-requests plugin to send requests and bypass the IP restriction of the Admin API. This can lead to remote code execution, particularly in default configurations with the default API key. Changing the admin key or using a different port for the Admin API than the data panel reduces the impact but still poses a risk of bypassing the IP restriction of the data panel. A bug in the code allows the check that overrides the client IP with its real remote IP to be bypassed.

Recommendations For Apache APISIX version 2.12.1, consider disabling the batch-requests plugin until a patch is available to prevent the exploitation of this vulnerability. Additionally, changing the default API key and using a different port for the Admin API than the data panel can help minimize the risk. However, the most effective resolution would be to update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.