Search
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-44487 | 31 Akka, Amazon, Apache and 28 more | 127 Http Server, Opensearch Data Prepper, Apisix and 124 more | 2023-12-20 | N/A | 7.5 HIGH |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |||||
| CVE-2022-29266 | 1 Apache | 1 Apisix | 2022-04-29 | 5.0 MEDIUM | 7.5 HIGH |
| In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information. | |||||
| CVE-2021-43557 | 1 Apache | 1 Apisix | 2021-11-26 | 5.0 MEDIUM | 7.5 HIGH |
| The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin. | |||||