[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable
From:       Zhiyuan Ju <juzhiyuan () apache ! org>
Date:       2021-11-23 3:29:57
Message-ID: CAC_jp4h3O6FSCLb=JV2HoUA1wZUin2yW2=MqtwW7N=8Bq0F9sg () mail ! gmail ! com
[Download RAW message or body]


Hi,

Thanks to Marcin, and Apache APISIX's Website just published his blog about
this CVE[1].

 Welcome to read this post :)

[1] https://apisix.apache.org/blog/2021/11/23/cve-2021-43557-research-repor=
t

Best Regards!
@ Zhiyuan Ju <https://github.com/juzhiyuan>


Zexuan Luo <spacewander@apache.org> =E4=BA=8E2021=E5=B9=B411=E6=9C=8822=E6=
=97=A5=E5=91=A8=E4=B8=80 =E4=B8=8B=E5=8D=882:30=E5=86=99=E9=81=93=EF=BC=9A

> Severity: moderate
>
> Description:
>
> The uri-block plugin in APISIX uses $request_uri without verification.
> The $request_uri is the full original request URI without
> normalization.
> This makes it possible to construct a URI to bypass the block list on
> some occasions. For instance, when the block list contains
> "^/internal/", a URI like `//internal/` can be used to bypass it.
>
> Some other plugins also have the same issue. And it may affect the
> developer's custom plugin.
>
> This issue is fixed in APISIX 2.10.2.
> Thanks to Marcin Niemiec for reporting the vulnerability.
>
> Mitigation:
>
> 1. Upgrade to APISIX 2.10.2
> 2. Carefully review custom code, find & fix the usage of $request_uri
> without verification.
>


[prev in list] [next in list] [prev in thread] [next in thread]