[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized acces
From:       JunXu Chen <chenjunxu () apache ! org>
Date:       2021-12-27 14:25:04
Message-ID: CAMikTu7OC1+SN_nOMEcSdFoE7EVmVKYt56WctqQe+nDYqMkAVA () mail ! gmail ! com
[Download RAW message or body]


Severity: high

Description:

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two
frameworks and introduces framework `droplet` on the basis of
framework `gin`, all APIs and authentication middleware are developed
based on framework `droplet`, but some API directly use the interface
of framework `gin` thus bypassing the authentication.

Mitigation:

Implement one of the following mitigation techniques:

1. Upgrade to release 2.10.1

2. Change the default username and password, restrict the source IP to
access the Apache APISIX Dashboard

Credit:

Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team.


[prev in list] [next in list] [prev in thread] [next in thread]