[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable
From: Zhiyuan Ju <juzhiyuan () apache ! org>
Date: 2021-11-23 3:29:57
Message-ID: CAC_jp4h3O6FSCLb=JV2HoUA1wZUin2yW2=MqtwW7N=8Bq0F9sg () mail ! gmail ! com
[Download RAW message or body]
Hi,
Thanks to Marcin, and Apache APISIX's Website just published his blog about
this CVE[1].
Welcome to read this post :)
[1] https://apisix.apache.org/blog/2021/11/23/cve-2021-43557-research-repor=
t
Best Regards!
@ Zhiyuan Ju <https://github.com/juzhiyuan>
Zexuan Luo <spacewander@apache.org> =E4=BA=8E2021=E5=B9=B411=E6=9C=8822=E6=
=97=A5=E5=91=A8=E4=B8=80 =E4=B8=8B=E5=8D=882:30=E5=86=99=E9=81=93=EF=BC=9A
> Severity: moderate
>
> Description:
>
> The uri-block plugin in APISIX uses $request_uri without verification.
> The $request_uri is the full original request URI without
> normalization.
> This makes it possible to construct a URI to bypass the block list on
> some occasions. For instance, when the block list contains
> "^/internal/", a URI like `//internal/` can be used to bypass it.
>
> Some other plugins also have the same issue. And it may affect the
> developer's custom plugin.
>
> This issue is fixed in APISIX 2.10.2.
> Thanks to Marcin Niemiec for reporting the vulnerability.
>
> Mitigation:
>
> 1. Upgrade to APISIX 2.10.2
> 2. Carefully review custom code, find & fix the usage of $request_uri
> without verification.
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic