CVE-2022-25757 - Vulnerability Details

Vendors	Products
Apache	Apisix

Link	Providers
http://www.openwall.com/lists/oss-security/2022/03/28/2
https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv

{"containers": {"cna": {"affected": [{"product": "Apache APISIX", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.12.1", "status": "affected", "version": "Apache APISIX", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Thanks for Guangli Dong from www.huoxian.cn"}], "descriptions": [{"lang": "en", "value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."}], "metrics": [{"other": {"content": {"other": "low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-28T11:06:08", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"}, {"name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache APISIX: the body_schema check in request-validation plugin can be bypassed", "workarounds": [{"lang": "en", "value": "1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin\n2. add additional validation in the application code, embrace defensive programming"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-25757", "STATE": "PUBLIC", "TITLE": "Apache APISIX: the body_schema check in request-validation plugin can be bypassed"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache APISIX", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache APISIX", "version_value": "2.12.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Thanks for Guangli Dong from www.huoxian.cn"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "low"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv", "refsource": "MISC", "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"}, {"name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin\n2. add additional validation in the application code, embrace defensive programming"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:43.256Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"}, {"name": "[oss-security] 20220328 CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-25757", "datePublished": "2022-03-28T07:00:16", "dateReserved": "2022-02-22T00:00:00", "dateUpdated": "2024-08-03T04:49:43.256Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*", "matchCriteriaId": "A98786C4-0B1A-4E17-93EF-9FE47819FF3F", "versionEndExcluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."}, {"lang": "es", "value": "En Apache APISIX versiones anteriores a 2.13.0, cuando es decodificado JSON con claves duplicadas, lua-cjson elegir\u00e1 como resultado el \u00faltimo valor ocurrido. Al pasar un JSON con una clave duplicada, el atacante puede omitir la comprobaci\u00f3n body_schema en el plugin de comprobaci\u00f3n de peticiones. Por ejemplo, \"{\"string_payload\": \"bad\", \"string_payload\": \"good\"}\" puede usarse para ocultar la entrada \"bad\". Los sistemas que cumplen las tres condiciones siguientes est\u00e1n afectados por este ataque: 1. usar la comprobaci\u00f3n body_schema en el plugin de comprobaci\u00f3n de peticiones 2. la aplicaci\u00f3n upstream usa una librer\u00eda JSON especial que elige el primer valor ocurrido, como jsoniter o gojay 3. la aplicaci\u00f3n upstream ya no comprueba la entrada. La soluci\u00f3n en APISIX es recodificar la entrada JSON comprobada en el cuerpo de la petici\u00f3n en el lado de APISIX. Una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada en __COMPONENT__ de Apache APISIX permite a un atacante __IMPACT__. Este problema afecta a Apache APISIX versiones 2.12.1 y anteriores"}], "id": "CVE-2022-25757", "lastModified": "2024-11-21T06:52:56.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-28T07:15:06.730", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/03/28/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object