Date: Mon, 27 Dec 2021 22:25:04 +0800 From: JunXu Chen <chenjunxu@...che.org> To: announce@...che.org, dev@...six.apache.org, oss-security@...ts.openwall.com, 朱禹成 <zhuyucheng@...nbaotech.cn> Subject: CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access Severity: high Description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication. Mitigation: Implement one of the following mitigation techniques: 1. Upgrade to release 2.10.1 2. Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard Credit: Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.