CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/03/28/2	Mailing List Third Party Advisory
https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-03-28 07:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-25757

Mitre link : CVE-2022-25757

CVE.ORG link : CVE-2022-25757

JSON object : View

Products Affected

apache

apisix

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2022-25757", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-03-28T07:15:06.730", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/03/28/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{\"string_payload\":\"bad\",\"string_payload\":\"good\"}` can be used to hide the \"bad\" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Improper Input Validation vulnerability in __COMPONENT__ of Apache APISIX allows an attacker to __IMPACT__. This issue affects Apache APISIX Apache APISIX version 2.12.1 and prior versions."}, {"lang": "es", "value": "En Apache APISIX versiones anteriores a 2.13.0, cuando es decodificado JSON con claves duplicadas, lua-cjson elegir\u00e1 como resultado el \u00faltimo valor ocurrido. Al pasar un JSON con una clave duplicada, el atacante puede omitir la comprobaci\u00f3n body_schema en el plugin de comprobaci\u00f3n de peticiones. Por ejemplo, \"{\"string_payload\": \"bad\", \"string_payload\": \"good\"}\" puede usarse para ocultar la entrada \"bad\". Los sistemas que cumplen las tres condiciones siguientes est\u00e1n afectados por este ataque: 1. usar la comprobaci\u00f3n body_schema en el plugin de comprobaci\u00f3n de peticiones 2. la aplicaci\u00f3n upstream usa una librer\u00eda JSON especial que elige el primer valor ocurrido, como jsoniter o gojay 3. la aplicaci\u00f3n upstream ya no comprueba la entrada. La soluci\u00f3n en APISIX es recodificar la entrada JSON comprobada en el cuerpo de la petici\u00f3n en el lado de APISIX. Una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada en __COMPONENT__ de Apache APISIX permite a un atacante __IMPACT__. Este problema afecta a Apache APISIX versiones 2.12.1 y anteriores"}], "lastModified": "2022-04-04T17:22:20.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A98786C4-0B1A-4E17-93EF-9FE47819FF3F", "versionEndExcluding": "2.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}