Skip to main content
Case StudiesEcosystemAuthenticationPluginsCommunityVulnerabilities

Apache APISIX Path traversal in request_uri variable(CVE-2021-43557)

· 2 min read
Sylvia

In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache APISIX Ingress Controller.

Problem Description

In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache APISIX Ingress Controller.

When using the uri-blocker plug-in to test the scenario, we found that:

$ ./apisix_request.sh "/public-service/public"
Defaulted container "apisix" out of: apisix, wait-etcd (init)
{"data":"public data"}
$ ./apisix_request.sh "/protected-service/protected"
Defaulted container "apisix" out of: apisix, wait-etcd (init)
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty</center>
</body>
</html>

In both scenarios, public-service is available and protected-service is blocked by plug-ins. After the verification and testing of the above scenarios, it is found that both cases can bypass the limitations of Uri.

Due to the improper use of ctx.var.require_uri variables by the uri-blocker plug-in, the following results:

  • Attacker can bypass access control restrictions and perform successful access to routes that shouldn’t be able to;
  • Developers of custom plugins have no knowledge that ngx.var.request_uri variable is untrusted.

Affected Versions

All versions of Apache APISIX prior to 2.10.2 (excluding 2.10.2)

Solution

This issue has been resolved in version 2.10.2 +, please update to the relevant version as soon as possible.

In case of custom plugins, we suggest to do path normalization before using ngx.var.request_uri variable. There are also two other variables, high probably normalized, to check ctx.var.upstream_uri and ctx.var.uri.

Vulnerability details

Vulnerability public date: November 22, 2021 CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-43557

Contributor Profile

The vulnerability was discovered by community user Marcin Niemiec (GitHub@xvnpw) and reported to the Apache Software Foundation in a timely manner.

Thanks to Marcin Niemiec for his contribution to the Apache APISIX community.

Table of Contents