Is apisix 2.11.0 version affected by CVE-2022-24112?

[tarihub]

Issue description

2.11.0 version batch-requests is enabled by default
https://github.com/apache/apisix/blob/2.11.0/conf/config-default.yaml#L310

and 2.11.0 doesn't have patch code in
https://github.com/apache/apisix/blob/2.11.0/apisix/plugins/batch-requests.lua#L168

here is CVE-2022-24112's patch code
https://github.com/apache/apisix/pull/6251/files#diff-b80ee9fead226c0432f9e78cf5cae941641f9f685c49002f6a51310dd7134892R169

but in announcement, it only refer to 2.10.x version and 2.12.x version

Environment

default environment

[leslie-tsang]

Is apisix 2.11.0 version affected by CVE-2022-24112

Yes, apisix 2.11.0 was affected.

[tarihub]

Is there any plan to release a patch for 2.11.0? I see 2.10.x and 2.12.x have a patch version

[tzssangglass]

2.11.0 is not LTS version, won't backport to this version.

[tarihub]

Ok, thanks to reply!

[leslie-tsang]

It's recommended to upgrade APISIX to the latest version 2.12.1.

[tarihub]

ok!