Service Notices

All Notices > Security Notices > Unauthorized Access Vulnerability of Apache APISIX Dashboard (CVE-2021-45232)

Unauthorized Access Vulnerability of Apache APISIX Dashboard (CVE-2021-45232)

Dec 31, 2021 GMT+08:00

I. Overview

Apache APISIX disclosed an unauthorized access vulnerability (CVE-2021-45232) in Apache APISIX Dashboard earlier than 2.10.1. Manager APIs use the droplet framework based on the gin framework. All the APIs and authentication middleware are developed based on the droplet framework. However, some APIs directly use the APIs of the gin framework and bypass identity authentication. The POC has been disclosed and the risk is high.

Apache APISIX is an open-source API gateway. If you are an Apache APISIX user, check your versions and implement timely security hardening.

Reference

https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5

https://apisix.apache.org/blog/2021/12/28/dashboard-cve-2021-45232/

II.Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache APISIX Dashboard < 2.10.1

Secure versions:

Apache APISIX Dashboard 2.10.1

IV. Vulnerability Handling

1. This vulnerability has been fixed in an official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/apache/apisix-dashboard/releases/tag/v2.10.1

2. If the upgrade cannot be performed in a timely manner, follow the official instructions to change the default username and password, and configure a whitelist for accessing the Apache APISIX Dashboard.

HUAWEI CLOUD WAF can defend against this vulnerability. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.