CVE-2021-43557 is a vulnerability in Apache Apisix
Published on November 22, 2021

Path traversal in request_uri variable
The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some occasions. For instance, when the block list contains "^/internal/", a URI like `//internal/` can be used to bypass it. Some other plugins also have the same issue. And it may affect the developer's custom plugin.

NVD

Products Associated with CVE-2021-43557

Want to know whenever a new CVE is published for Apache Apisix? stack.watch will email you.

Apache Apisix

Affected Versions

Apache Software Foundation Apache APISIX:

Version 1.5 and below Apache APISIX 1.5* is affected.

Exploit Probability

EPSS

58.26%

Percentile

98.16%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2021-43557 is a vulnerability in Apache ApisixPublished on November 22, 2021

Products Associated with CVE-2021-43557

Affected Versions

Exploit Probability

CVE-2021-43557 is a vulnerability in Apache Apisix
Published on November 22, 2021