{"id":"CVE-2022-24112","details":"An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.","aliases":["BIT-apisix-2022-24112"],"modified":"2026-03-20T11:56:06.701249Z","published":"2022-02-11T13:15:08.073Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/02/11/3"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/lcdqywz8zy94mdysk7p3gfdgn51jmt94"},{"type":"ADVISORY","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24112"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/166328/Apache-APISIX-2.12.1-Remote-Code-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/apisix","events":[{"introduced":"0"},{"fixed":"d4e658fed1fb998e3301597f663a7fa9cd1d15c3"},{"introduced":"a694c4d1d6fe8212af50d4e8573be8aa5564d5a8"},{"fixed":"f118f5ea7a5d96023a7bd546545f7c1ad6486495"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.10.4"},{"introduced":"2.11.0"},{"fixed":"2.12.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24112.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}