Severity: high Description:
An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. Mitigation: 1. explicitly configure the enabled plugins in `conf/config.yaml`, ensure `batch-requests` is disabled. (Or just comment out `batch-requests` in `conf/config-default.yaml`) Or 1. upgrade to 2.10.4 or 2.12.1. Credit: Original discovery by Real World CTF at Chaitin Tech. Reported by Sauercloud.