Skip to main content

Apache APISIX Dashboard Unauthorized Access Vulnerability Announcement (CVE-2021-45232)

· One min read

There is a security vulnerability of unauthorized access in Apache APISIX Dashboard 2.7-2.10, and the processing information will be announced.

Problem description

Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.

Affected Versions

Apache APISIX Dashboard versions 2.7 - 2.10

Solution

Please update to Apache APISIX Dashboard version 2.10.1 and above.

Security Recommendations

It is recommended that users change their default user name and password in a timely manner and restrict source IP access to the Apache APISIX Dashboard.

Vulnerability details

Vulnerability public date: December 27, 2021

CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-45232

Contributor Profile

This vulnerability was discovered by Yucheng Zhu of the Security Team at Yuanbao Technology and reported to the Apache Software Foundation. Thank you for your contributions to the Apache APISIX community.

Yuanbao Technology
Click to Preview