Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for apisix_dashboard by apache
CVE-2021-45232 (GCVE-0-2021-45232)
Vulnerability from nvd – Published: 2021-12-27 15:06 – Updated: 2024-08-04 04:39
VLAI
Title
security vulnerability on unauthorized access.
Summary
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
Severity
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/979qbl6vlm8269fop… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/12/27/1 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX Dashboard |
Affected:
2.7 and 2.7.1
Affected: 2.8 Affected: 2.9 Affected: 2.10 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5"
},
{
"name": "[oss-security] 20211227 CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/27/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX Dashboard",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.7 and 2.7.1"
},
{
"status": "affected",
"version": "2.8"
},
{
"status": "affected",
"version": "2.9"
},
{
"status": "affected",
"version": "2.10"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team."
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-27T18:06:08.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5"
},
{
"name": "[oss-security] 20211227 CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/27/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "security vulnerability on unauthorized access.",
"workarounds": [
{
"lang": "en",
"value": "Implement one of the following mitigation techniques:\n\n1. Upgrade to release 2.10.1\n\n2. Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-45232",
"STATE": "PUBLIC",
"TITLE": "security vulnerability on unauthorized access."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX Dashboard",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.7",
"version_value": "2.7 and 2.7.1"
},
{
"version_affected": "=",
"version_name": "2.8",
"version_value": "2.8"
},
{
"version_affected": "=",
"version_name": "2.9",
"version_value": "2.9"
},
{
"version_affected": "=",
"version_name": "2.10",
"version_value": "2.10"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5"
},
{
"name": "[oss-security] 20211227 CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/12/27/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Implement one of the following mitigation techniques:\n\n1. Upgrade to release 2.10.1\n\n2. Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-45232",
"datePublished": "2021-12-27T15:06:50.000Z",
"dateReserved": "2021-12-18T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:39:20.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33190 (GCVE-0-2021-33190)
Vulnerability from nvd – Published: 2021-06-08 15:05 – Updated: 2024-08-03 23:42
VLAI
Title
Bypass network access control
Summary
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1
Severity
No CVSS data available.
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/re736aea55e8… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/06/08/4 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX Dashboard |
Affected:
Apache APISIX Dashboard 2.6 2.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:42:20.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX Dashboard",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache APISIX Dashboard 2.6 2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1"
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T17:06:25.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass network access control",
"workarounds": [
{
"lang": "en",
"value": "1. Change the account password after installation, do not use the default password.\n2. Upgrade to 2.6.1 or newer."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-33190",
"STATE": "PUBLIC",
"TITLE": "Bypass network access control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX Dashboard",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache APISIX Dashboard 2.6",
"version_value": "2.6"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "important"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-307 Improper Restriction of Excessive Authentication Attempts"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049@%3Cdev.apisix.apache.org%3E"
},
{
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1. Change the account password after installation, do not use the default password.\n2. Upgrade to 2.6.1 or newer."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-33190",
"datePublished": "2021-06-08T15:05:11.000Z",
"dateReserved": "2021-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:42:20.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45232 (GCVE-0-2021-45232)
Vulnerability from cvelistv5 – Published: 2021-12-27 15:06 – Updated: 2024-08-04 04:39
VLAI
Title
security vulnerability on unauthorized access.
Summary
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
Severity
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/979qbl6vlm8269fop… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/12/27/1 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX Dashboard |
Affected:
2.7 and 2.7.1
Affected: 2.8 Affected: 2.9 Affected: 2.10 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:39:20.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5"
},
{
"name": "[oss-security] 20211227 CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/27/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX Dashboard",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.7 and 2.7.1"
},
{
"status": "affected",
"version": "2.8"
},
{
"status": "affected",
"version": "2.9"
},
{
"status": "affected",
"version": "2.10"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team."
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-27T18:06:08.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5"
},
{
"name": "[oss-security] 20211227 CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/12/27/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "security vulnerability on unauthorized access.",
"workarounds": [
{
"lang": "en",
"value": "Implement one of the following mitigation techniques:\n\n1. Upgrade to release 2.10.1\n\n2. Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-45232",
"STATE": "PUBLIC",
"TITLE": "security vulnerability on unauthorized access."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX Dashboard",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.7",
"version_value": "2.7 and 2.7.1"
},
{
"version_affected": "=",
"version_name": "2.8",
"version_value": "2.8"
},
{
"version_affected": "=",
"version_name": "2.9",
"version_value": "2.9"
},
{
"version_affected": "=",
"version_name": "2.10",
"version_value": "2.10"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5"
},
{
"name": "[oss-security] 20211227 CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/12/27/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Implement one of the following mitigation techniques:\n\n1. Upgrade to release 2.10.1\n\n2. Change the default username and password, restrict the source IP to access the Apache APISIX Dashboard"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-45232",
"datePublished": "2021-12-27T15:06:50.000Z",
"dateReserved": "2021-12-18T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:39:20.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33190 (GCVE-0-2021-33190)
Vulnerability from cvelistv5 – Published: 2021-06-08 15:05 – Updated: 2024-08-03 23:42
VLAI
Title
Bypass network access control
Summary
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1
Severity
No CVSS data available.
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/re736aea55e8… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/06/08/4 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX Dashboard |
Affected:
Apache APISIX Dashboard 2.6 2.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:42:20.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache APISIX Dashboard",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache APISIX Dashboard 2.6 2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1"
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T17:06:25.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass network access control",
"workarounds": [
{
"lang": "en",
"value": "1. Change the account password after installation, do not use the default password.\n2. Upgrade to 2.6.1 or newer."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-33190",
"STATE": "PUBLIC",
"TITLE": "Bypass network access control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache APISIX Dashboard",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache APISIX Dashboard 2.6",
"version_value": "2.6"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "important"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-307 Improper Restriction of Excessive Authentication Attempts"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E"
},
{
"name": "[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049@%3Cdev.apisix.apache.org%3E"
},
{
"name": "[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/06/08/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "1. Change the account password after installation, do not use the default password.\n2. Upgrade to 2.6.1 or newer."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-33190",
"datePublished": "2021-06-08T15:05:11.000Z",
"dateReserved": "2021-05-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:42:20.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}