Is CVE-2021-43557 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Apisix

CVE-2021-43557

The uri-block plugin in Apache APISIX before 2.10.2 uses $request_uri without verification. The $request_uri is the full original request URI without normalization. This makes it possible to construct a URI to bypass the block list on some…

EPSS: 0.583 (98.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Apisix — versions 1.5

Public proof-of-concept exploits

References

lists.apache.org/thread/18jyd458ptocr31rnkjs71w4h366mv7h (x_refsource_MISC)
[oss-security] 20211122 CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable (mailing-list, x_refsource_MLIST)
[oss-security] 20211122 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable (mailing-list, x_refsource_MLIST)
[oss-security] 20211123 Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-43557?: CVE-2021-43557 is a vulnerability in Apache Software Foundation Apisix. Published 2021-11-22.
Is CVE-2021-43557 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.