Hi Vào Th 4, 2 thg 7, 2025 lúc 10:08 Junxu Chen <chenju...@apache.org> đã viết:
> Severity: important > > Affected versions: > > - Apache APISIX before 3.12.0 > > Description: > > A vulnerability of plugin openid-connect in Apache APISIX. > > This vulnerability will only have an impact if all of the following > conditions are met: > 1. Use the openid-connect plugin with introspection mode > 2. The auth service connected to openid-connect provides services to > multiple issuers > 3. Multiple issuers share the same private key and relies only on the > issuer being different > > If affected by this vulnerability, it would allow an attacker with a valid > account on one of the issuers to log into the other issuer. > > > > > This issue affects Apache APISIX: until 3.12.0. > > Users are recommended to upgrade to version 3.12.0 or higher. > > Credit: > > Tiernan Messmer (finder) > > References: > > https://lists.apache.org/thread/yrpp2cd3o4qkxlrh421mq8gsrt0k4x0w > https://apisix.apache.org > https://www.cve.org/CVERecord?id=CVE-2025-46647 > >