CRITICAL9.8CVE-2022-24112⚠ KEVapisix/batch-requests plugin allows overwriting the X-REAL-IP header from 0, < 2.10.4, >= 2.11.0, < 2.12.1
from 0, < 3.6.1
CRITICAL9.8Apache APISIX: the body_schema check in request-validation plugin can be bypassed
from 0, < 2.13.0
CRITICAL9.1Apache APISIX: forward auth plugin allows header injection
>= 2.12.0, < 3.16.0
HIGH7.8Apache APISIX Java Plugin Runner: Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges
>= 0.2.0, < 3.9.0
HIGH7.5Apache APISIX: Openid-connect `tls_verify` field is disabled by default
>= 0.7.0, < 3.16.0
HIGH7.5Apache APISIX: basic-auth logs plaintext credentials at info level
>= 1.0.0, < 3.14.0
HIGH7.5Path traversal in request_uri variable
from 0, < 2.10.2
HIGH7.5apisix/jwt-auth may leak secrets in error response
from 0, < 2.13.1
MEDIUM6.5In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules.
>= 1.2.0, < 1.5.1
MEDIUM6.3Apache APISIX: Forward-Auth Request Smuggling
>= 3.8.0, < 3.9.1
MEDIUM5.3Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP
>= 2.99.0, < 3.16.0
MEDIUM5.3Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect
from 0, < 3.12.0