There is a security vulnerability of unauthorized access in Apache APISIX Dashboard 2.7-2.10, and the processing information will be announced.
Problem description#
Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.
Affected Versions#
Apache APISIX Dashboard versions 2.7 - 2.10
Solution#
Please update to Apache APISIX Dashboard version 2.10.1 and above.
Security Recommendations#
It is recommended that users change their default user name and password in a timely manner and restrict source IP access to the Apache APISIX Dashboard.
Vulnerability details#
Vulnerability public date: December 27, 2021
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-45232
Contributor Profile#
This vulnerability was discovered by Yucheng Zhu of the Security Team at Yuanbao Technology and reported to the Apache Software Foundation. Thank you for your contributions to the Apache APISIX community.
