In versions prior to Apache APISIX 2.10.2, there was a problem of "bypassing partial restrictions" that caused the risk of path penetration by using the $request_uri variable in Apache APISIX Ingress Controller.
Because the application makes access control determinations by obtaining the value of the request header
X-Forwarded-For, an attacker can achieve an access control bypass attack by simply tampering with that request header when invoking the API request.
On May 26, NGINX issued a security announcement that fixed a DNS resolver vulnerability (CVE -2021-23017) in the NGINX resolver.
