Access Control Bypass in OpenResty Affects Web Application Firewalls
CVE-2018-9230

9.8CRITICAL

Key Information:

Vendor

Openresty

Status
Vendor
CVE Published:
2 April 2018

What is CVE-2018-9230?

In OpenResty versions up to 1.13.6.1, an issue arises where URI parameters retrieved using the ngx.req.get_uri_args and ngx.req.get_post_args functions are limited to the first hundred parameters. This limitation can be exploited by remote attackers who may bypass access restrictions or disrupt the functionality of certain Web Application Firewall solutions such as ngx_lua_waf or X-WAF. Although the vendor indicates that this 100-parameter cap is an intentional design choice that can be modified via the API, they assert that any security implications stemming from the misuse of the API within a WAF are the responsibility of the respective WAF product.

References

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.