Skip to main content

Apache APISIX Path traversal in request_uri variable(CVE-2021-43557)

· 2 min read

In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache APISIX Ingress Controller.

Problem Description#

In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache APISIX Ingress Controller.

When using the uri-blocker plug-in to test the scenario, we found that:

$ ./apisix_request.sh "/public-service/public"Defaulted container "apisix" out of: apisix, wait-etcd (init){"data":"public data"}
$ ./apisix_request.sh "/protected-service/protected"Defaulted container "apisix" out of: apisix, wait-etcd (init)<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty</center></body></html>

In both scenarios, public-service is available and protected-service is blocked by plug-ins. After the verification and testing of the above scenarios, it is found that both cases can bypass the limitations of Uri.

Due to the improper use of ctx.var.require_uri variables by the uri-blocker plug-in, the following results:

  • Attacker can bypass access control restrictions and perform successful access to routes that shouldn’t be able to;
  • Developers of custom plugins have no knowledge that ngx.var.request_uri variable is untrusted.

Affected Versions#

All versions of Apache APISIX prior to 2.10.2 (excluding 2.10.2)

Solution#

This issue has been resolved in version 2.10.2 +, please update to the relevant version as soon as possible.

In case of custom plugins, we suggest to do path normalization before using ngx.var.request_uri variable. There are also two other variables, high probably normalized, to check ctx.var.upstream_uri and ctx.var.uri.

Vulnerability details#

Vulnerability public date: November 22, 2021 CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-43557

Contributor Profile#

The vulnerability was discovered by community user Marcin Niemiec (GitHub@xvnpw) and reported to the Apache Software Foundation in a timely manner.

Thanks to Marcin Niemiec for his contribution to the Apache APISIX community.