Unauthorized Access Vulnerability of Apache APISIX Dashboard (CVE-2021-45232)
Dec 31, 2021 GMT+08:00
Apache APISIX disclosed an unauthorized access vulnerability (CVE-2021-45232) in Apache APISIX Dashboard earlier than 2.10.1. Manager APIs use the droplet framework based on the gin framework. All the APIs and authentication middleware are developed based on the droplet framework. However, some APIs directly use the APIs of the gin framework and bypass identity authentication. The POC has been disclosed and the risk is high.
Apache APISIX is an open-source API gateway. If you are an Apache APISIX user, check your versions and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
Apache APISIX Dashboard < 2.10.1
Apache APISIX Dashboard 2.10.1
IV. Vulnerability Handling
1. This vulnerability has been fixed in an official version. If your service version falls into the affected range, upgrade it to the secure version.
2. If the upgrade cannot be performed in a timely manner, follow the official instructions to change the default username and password, and configure a whitelist for accessing the Apache APISIX Dashboard.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.