CVE-2021-45232
N/A
N/A
Summary
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of framework gin thus bypassing the authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX Dashboard | 2.7 and 2.7.1 | affected |
| Apache Software Foundation | Apache APISIX Dashboard | 2.8 | affected |
| Apache Software Foundation | Apache APISIX Dashboard | 2.9 | affected |
| Apache Software Foundation | Apache APISIX Dashboard | 2.10 | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
Workarounds
Implement one of the following mitigation techniques:
Upgrade to release 2.10.1
Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5
- http://www.openwall.com/lists/oss-security/2021/12/27/1
References
- https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5
- http://www.openwall.com/lists/oss-security/2021/12/27/1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.