CVE-2021-45232

Summary

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of framework gin thus bypassing the authentication.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache APISIX Dashboard2.7 and 2.7.1affected
Apache Software FoundationApache APISIX Dashboard2.8affected
Apache Software FoundationApache APISIX Dashboard2.9affected
Apache Software FoundationApache APISIX Dashboard2.10affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

Workarounds

Implement one of the following mitigation techniques:

  1. Upgrade to release 2.10.1

  2. Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard

ADP Enrichment

CVE Program Container

Additional References

References