Apache APISIX version 2.12.1 suffers from a remote code execution vulnerability.
1a7e1d54f9dea840e2f5decd4c7806d1bf0fb96825738ea5b11723e9659f59b2
Apache APISIX has a default, built-in API token that can be used to obtain full access of the admin API. Access to this API allows for remote LUA code execution through the script parameter added in the 2.x version. This module also leverages another vulnerability to bypass th e IP restriction plugin.
75f7fd4db82a985948b400b9686ffc05f654d453b228621992abd5bb2505add2