CVE-2021-43557: 
Apache APISIX vulnerability analysis and mitigation

CVE-2021-43557 is a path traversal vulnerability discovered in Apache APISIX's uri-block plugin affecting versions before 2.10.2. The vulnerability was reported by Marcin Niemiec and disclosed on November 22, 2021. The issue exists in the uri-block plugin which uses $requesturi without proper verification, where $requesturi represents the full original request URI without normalization (OSS Security).

The vulnerability stems from the improper handling of the $request_uri variable in the uri-block plugin. Since the request URI is processed without normalization, it creates a path traversal vulnerability. For example, when the block list contains a pattern like '^/internal/', an attacker can bypass this restriction by constructing a URI like '//internal/'. This issue affects not only the uri-block plugin but also extends to other plugins and potentially impacts custom plugins developed for APISIX (NVD, OSS Security).

The vulnerability allows attackers to bypass URI blocking mechanisms implemented in Apache APISIX. By exploiting this vulnerability, malicious actors could access restricted paths that were intended to be blocked by the uri-block plugin, potentially leading to unauthorized access to protected resources (OSS Security).

Two primary mitigation strategies have been recommended: 1) Upgrade to Apache APISIX version 2.10.2 or later, which contains the fix for this vulnerability, and 2) Carefully review and fix any custom code that uses $request_uri without proper verification (OSS Security).

The Apache APISIX team responded quickly to the vulnerability report, with the fix being verified and implemented promptly. The community response was positive, with Apache APISIX's website publishing a detailed blog post about the CVE. Marcin Niemiec, who reported the vulnerability, praised the quick response and verification of the issue (OSS Security, OSS Security).