Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAMikTu7OC1+SN_nOMEcSdFoE7EVmVKYt56WctqQe+nDYqMkAVA@mail.gmail.com>
Date: Mon, 27 Dec 2021 22:25:04 +0800
From: JunXu Chen <chenjunxu@...che.org>
To: announce@...che.org, dev@...six.apache.org, 
	oss-security@...ts.openwall.com, 朱禹成 <zhuyucheng@...nbaotech.cn>
Subject: CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on
 unauthorized access

Severity: high

Description:

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two
frameworks and introduces framework `droplet` on the basis of
framework `gin`, all APIs and authentication middleware are developed
based on framework `droplet`, but some API directly use the interface
of framework `gin` thus bypassing the authentication.

Mitigation:

Implement one of the following mitigation techniques:

1. Upgrade to release 2.10.1

2. Change the default username and password, restrict the source IP to
access the Apache APISIX Dashboard

Credit:

Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.