=================================================================== CERT-Renater Note d'Information No. 2022/VULN138 _____________________________________________________________________ DATE : 06/04/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Apache APISIX versions prior to 2.13.0. ====================================================================https://lists.apache.org/thread/03vd2j81krxmpz6xo8p1dl642flpo6fv _____________________________________________________________________ CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed Posted to dev@apisix.apache.org Zexuan Luo - Monday, March 28, 2022 5:16:43 AM GMT+2 Severity: low Description: When decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example, `{"string_payload":"bad","string_payload":"good"}` can be used to hide the "bad" input. Systems satisfy three conditions below are affected by this attack: 1. use body_schema validation in the request-validation plugin 2. upstream application uses a special JSON library that chooses the first occurred value, like jsoniter or gojay 3. upstream application does not validate the input anymore. The fix in APISIX is to re-encode the validated JSON input back into the request body at the side of APISIX. Mitigation: 1. upgrade APISIX to 2.13.0 if you need to use the body_schema validation in the request-validation plugin 2. add additional validation in the application code, embrace defensive programming Credit: Thanks for Guangli Dong from https://www.huoxian.cn/ ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================--------------fzdwXlpY0yf0qEXmw1rSBpjv--