cbcvebase.
CVE-2021-45232
published 2021-12-27

CVE-2021-45232: In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
85.94%
99.7th percentile
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.

Affected

5 ranges
VendorProductVersion rangeFixed in
apacheapisix_dashboard< 2.10.12.10.1
apache_software_foundationapache_apisix_dashboard
apache_software_foundationapache_apisix_dashboard
apache_software_foundationapache_apisix_dashboard
apache_software_foundationapache_apisix_dashboard

Detection & IOCsextracted from sources · hover to see the quote

url/apisix/admin/migrate/export
  • Send an unauthenticated HTTP GET request to /apisix/admin/migrate/export; a 200 response containing the string '"Consumers":' confirms successful authentication bypass via the gin framework interface.
  • The vulnerability exists because some API endpoints directly use the gin framework interface instead of the droplet framework, thereby bypassing all authentication middleware. Look for unauthenticated requests to /apisix/admin/* endpoints.
  • ·The vulnerability only affects Apache APISIX Dashboard versions before 2.10.1. Instances running 2.10.1 or later are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.