Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect

A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer. This issue affects Apache APISIX: until 3.12.0. Users are recommended to upgrade to version 3.12.0 or higher.

N/A

使用假设不可变数据进行的认证绕过

Apache Apisix 安全漏洞

Apache Apisix是美国阿帕奇（Apache）基金会的一个云原生的微服务API网关服务。该软件基于 OpenResty 和 etcd 来实现，具备动态路由和插件热加载，适合微服务体系下的 API 管理。 Apache Apisix 3.12.0之前版本存在安全漏洞，该漏洞源于openid-connect插件在特定条件下可能允许跨发行者登录。

N/A

N/A