登录查看更多内容

ApiSec: The week of Dec'27th, 2021. Apache APISIX Remote Code Exeution

Ivan Novikov

CEO @ Wallarm | Leading API Security Solution for Enterprises

发布日期: 2022年1月2日

+ 关注

Apache APISIX Remote Code Execution by API authentication bypass CVE-CVE-2021-45232

Apache APISIX is a cloud-native API gateway https://github.com/apache/apisix driven by an open-source community.

Just a simple API call to the endpoint /apisix/admin/migrate/export allows attackers to download the configuration file and cause Remote Code Exection.

Vulnerable software: Apache APISIX Dashboard < 2.10.1

Look how it's simple:

GET /apisix/admin/migrate/export HTTP/1.1
Host: ...
...

Source: https://github.com/Ilovewomen/cve-2021-45232

?? API Security Threats ??

1,874 位关注者

Dmitry Semenov

DevOps / CKA / AWS / Azure / Certified

3 年

any RCE it's amazing)

1 次回应

查看更多评论

要查看或添加评论，请登录

Ivan Novikov的更多文章

Top 5 API Security Risks Uncovered Through 2023 Incidents

2024年2月20日

Top 5 API Security Risks Uncovered Through 2023 Incidents

The year 2023 has seen its fair share of cybersecurity incidents, with API vulnerabilities often at the heart of these…
Etherium Response on API Security: how GraphQL CRASH blockchain

2023年10月18日

Etherium Response on API Security: how GraphQL CRASH blockchain

Geth, the Go Ethereum node, is integral to Ethereum networks. Though packed with features, it’s not bulletproof.

2 条评论
No API Management Without API Security. But API Security Without API Management? Absolutely.

2023年9月22日

No API Management Without API Security. But API Security Without API Management? Absolutely.

Here's the deal. You can't talk API management without bringing security to the table.
5 reasons why OWASP Top Ten 2021 is broken

2022年4月22日

5 reasons why OWASP Top Ten 2021 is broken

Dear community. Please let me skip any introduction and drop just 5 points straightforwardly.

5 条评论
Moving day! This newsletter is moving to the "API Security Community" group

2022年3月2日

Moving day! This newsletter is moving to the "API Security Community" group

Dear subscribers! This newsletter is now converted to a private unlisted group "API Security Community". The group is…
API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

2022年2月8日

API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

DPD package sniffing by API First of all, this is a great example of the vulnerability disclosure efforts from the…
API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

2022年1月30日

API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

We usually think about APIs as IoT, connected cars, medical devices, mobile apps backends, Single Page Applications, or…
API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.

2022年1月25日

API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.

The last seven days were really rich for API exploits. It's not often to meet a dozen of API issues in top security…
ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.

2022年1月15日

ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.

CISCO Tetration API root-level command injection A vulnerability in the web-based management interface and in the API…

1 条评论

See all articles

ApiSec: The week of Dec'27th, 2021. Apache APISIX Remote Code Exeution

Ivan Novikov

CEO @ Wallarm | Leading API Security Solution for Enterprises

Apache APISIX Remote Code Execution by API authentication bypass CVE-CVE-2021-45232

?? API Security Threats ??

1,874 位关注者

Ivan Novikov的更多文章

社区洞察

其他会员也浏览了

CyberLens

New York Flankees

The Evolution of C#

Yet Another CLI Trick: grep for multiple matches

Posit Workbench 2024.12.0

Prefork & Worker Modules in Apache

Test containers: A year-in-review (Talk @TestBustersDay&Night)

Demystifying the Differences Between Soft Links and Hard Links

RAM (RANDOM ACCESS MEMORY)

What happens when you type `ls -l *.c` in the shell?

Apache APISIX Remote Code Execution by API authentication bypass CVE-CVE-2021-45232

?? API Security Threats ??

1,874 位关注者

Ivan Novikov的更多文章

Top 5 API Security Risks Uncovered Through 2023 Incidents

Etherium Response on API Security: how GraphQL CRASH blockchain

No API Management Without API Security. But API Security Without API Management? Absolutely.

5 reasons why OWASP Top Ten 2021 is broken

Moving day! This newsletter is moving to the "API Security Community" group

API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.

ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.

社区洞察

其他会员也浏览了

CyberLens

New York Flankees

The Evolution of C#

Yet Another CLI Trick: grep for multiple matches

Posit Workbench 2024.12.0

Prefork & Worker Modules in Apache

Test containers: A year-in-review (Talk @TestBustersDay&Night)

Demystifying the Differences Between Soft Links and Hard Links

RAM (RANDOM ACCESS MEMORY)

What happens when you type `ls -l *.c` in the shell?