Because the application makes access control determinations by obtaining the value of the request header
X-Forwarded-For, an attacker can achieve an access control bypass attack by simply tampering with that request header when invoking the API request.
In Apache APISIX Dashboard 2.6, there are two configuration entries.
conf.listen.hostconfiguration item, which specifies which IP address ManagerAPI listens to at startup, and which defaults to
0.0.0.0(listens to external network requests by default).
the configuration item
conf.allow_list, which is used for access control and only allows access to
127.0.0.1(i.e. local network) by default.
Since the program makes access control determinations by obtaining the value of the request header
X-Forwarded-For, an attacker can achieve an access control bypass attack by simply tampering with this request header when invoking an API request.
Apache APISIX 2.6.0
This issue has been resolved in version 2.6.1. Please update to the latest version as soon as possible and change the default username and password after deploying the application.
Vulnerability public date: June 8, 2021
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-33190
This vulnerability was discovered by Vern at Ping An Technology Galaxy Security Lab and reported to the Apache Software Foundation. Thanks to Vern and Ping An Technology Galaxy Security Lab for their contributions to the Apache APISIX community.
[Apache APISIX Contributor Interview | Pengcheng Wang, Senior Security Consultant, PwC South China Data Security & Privacy Team](./2021-01-11-interview-Apache-APISIX-contributor-Wang-Pengcheng-Senior-Security-Advisor-of-PwC-South-China-Data-Security-and- Privacy-Protection-Team.md)