CVE-2021-45232
published 2021-12-27CVE-2021-45232: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
85.94%
99.7th percentile
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apisix_dashboard | < 2.10.1 | 2.10.1 |
| apache_software_foundation | apache_apisix_dashboard | — | — |
| apache_software_foundation | apache_apisix_dashboard | — | — |
| apache_software_foundation | apache_apisix_dashboard | — | — |
| apache_software_foundation | apache_apisix_dashboard | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/apisix/admin/migrate/export
- →Send an unauthenticated HTTP GET request to /apisix/admin/migrate/export; a 200 response containing the string '"Consumers":' confirms successful authentication bypass via the gin framework interface.
- →The vulnerability exists because some API endpoints directly use the gin framework interface instead of the droplet framework, thereby bypassing all authentication middleware. Look for unauthenticated requests to /apisix/admin/* endpoints. ↗
- ·The vulnerability only affects Apache APISIX Dashboard versions before 2.10.1. Instances running 2.10.1 or later are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
nuclei·CVSS 9.8
CVE-2021-45232 [CRITICAL] Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.
Template:
id: CVE-2021-45232
info:
name: Apache APISIX Dashboard <2.10.1 - API Unauthorized Access
author: Mr-xn
severity: critical
description: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the inter
2021-12-27
Published