支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2022-24112 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
apisix/batch-requests plugin allows overwriting the X-REAL-IP header
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
使用欺骗进行的认证绕过
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Apache APISIX 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Apache Apisix是美国阿帕奇(Apache)基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现,具备动态路由和插件热加载,适合微服务体系下的 API 管理。 Apache APISIX 中存在安全漏洞,该漏洞源于产品的batch-requests插件未对用户的批处理请求进行有效限制。攻击者可通过该漏洞绕过Admin Api的限制。 以下产品及版本受到影响:Apache APISIX 2.10.4 之前版本、Apache APISIX 2.12.1 之前
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
厂商产品影响版本CPE订阅
Apache Software FoundationApache APISIX Apache APISIX 2.12 ~ 2.12.1 -
二、漏洞 CVE-2022-24112 的公开POC
#POC 描述源链接神龙链接
1CVE-2022-24112:Apache APISIX apisix/batch-requests RCEhttps://github.com/Mr-xn/CVE-2022-24112POC详情
2Apache APISIX apisix/batch-requests RCEhttps://github.com/Udyz/CVE-2022-24112POC详情
3Apache APISIX batch-requests RCE(CVE-2022-24112)https://github.com/Axx8/CVE-2022-24112POC详情
4CVE-2022-24112: Apache APISIX Remote Code Execution Vulnerabilityhttps://github.com/Mah1ndra/CVE-2022-24112POC详情
5Apache APISIX Remote Code Execution (CVE-2022-24112) proof of concept exploit https://github.com/M4xSec/Apache-APISIX-CVE-2022-24112POC详情
6Apache APISIX 2.12.1 Remote Code Execution by IP restriction bypass and using default admin AIP tokenhttps://github.com/kavishkagihan/CVE-2022-24112-POCPOC详情
7Apache APISIX < 2.12.1 Remote Code Execution and Docker Labhttps://github.com/twseptian/cve-2022-24112POC详情
8CVE-2022-24112_POChttps://github.com/Acczdy/CVE-2022-24112_POCPOC详情
9Nonehttps://github.com/wshepherd0010/CVE-2022-24112-LabPOC详情
10New exploit for Apache APISIX 2.12.1 - Remote Code Execution (RCE)https://github.com/btar1gan/exploit_CVE-2022-24112POC详情
11Apache APISIX apisix/batch-requests RCEhttps://github.com/CrackerCat/CVE-2022-24112POC详情
12A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24112.yamlPOC详情
13Apache APISIX batch-requests RCE(CVE-2022-24112)https://github.com/SecNN/CVE-2022-24112POC详情
14Nonehttps://github.com/fatkz/CVE-2022-24112POC详情
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC
三、漏洞 CVE-2022-24112 的情报信息
Please 登录 to view more intelligence information
四、漏洞 CVE-2022-24112 的评论

暂无评论

发表评论