Hi, Thanks to Marcin, and Apache APISIX's Website just published his blog about this CVE[1].
Welcome to read this post :) [1] https://apisix.apache.org/blog/2021/11/23/cve-2021-43557-research-report Best Regards! @ Zhiyuan Ju <https://github.com/juzhiyuan> Zexuan Luo <[email protected]> 于2021年11月22日周一 下午2:30写道: > Severity: moderate > > Description: > > The uri-block plugin in APISIX uses $request_uri without verification. > The $request_uri is the full original request URI without > normalization. > This makes it possible to construct a URI to bypass the block list on > some occasions. For instance, when the block list contains > "^/internal/", a URI like `//internal/` can be used to bypass it. > > Some other plugins also have the same issue. And it may affect the > developer's custom plugin. > > This issue is fixed in APISIX 2.10.2. > Thanks to Marcin Niemiec for reporting the vulnerability. > > Mitigation: > > 1. Upgrade to APISIX 2.10.2 > 2. Carefully review custom code, find & fix the usage of $request_uri > without verification. >
