QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2022-24112

Back to search

CVE-2022-24112

Published: Feb 11, 2022

Modified: Oct 21, 2025

PUBLISHED

Description

An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

VendorProductVersions

Apache Software Foundation

Apache APISIX

affected
Apache APISIX 2.12 - < 2.12.1
affected
Apache APISIX 2.10 - < 2.10.4
affected
1.3 - < Apache APISIX 1*

Weaknesses (CWE)

CWE-290

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now