[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized acces
From: JunXu Chen <chenjunxu () apache ! org>
Date: 2021-12-27 14:25:04
Message-ID: CAMikTu7OC1+SN_nOMEcSdFoE7EVmVKYt56WctqQe+nDYqMkAVA () mail ! gmail ! com
[Download RAW message or body]
Severity: high
Description:
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two
frameworks and introduces framework `droplet` on the basis of
framework `gin`, all APIs and authentication middleware are developed
based on framework `droplet`, but some API directly use the interface
of framework `gin` thus bypassing the authentication.
Mitigation:
Implement one of the following mitigation techniques:
1. Upgrade to release 2.10.1
2. Change the default username and password, restrict the source IP to
access the Apache APISIX Dashboard
Credit:
Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic