Access Control Bypass in OpenResty Affects Web Application Firewalls
CVE-2018-9230
What is CVE-2018-9230?
In OpenResty versions up to 1.13.6.1, an issue arises where URI parameters retrieved using the ngx.req.get_uri_args and ngx.req.get_post_args functions are limited to the first hundred parameters. This limitation can be exploited by remote attackers who may bypass access restrictions or disrupt the functionality of certain Web Application Firewall solutions such as ngx_lua_waf or X-WAF. Although the vendor indicates that this 100-parameter cap is an intentional design choice that can be modified via the API, they assert that any security implications stemming from the misuse of the API within a WAF are the responsibility of the respective WAF product.
References
EPSS Score
13% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved
