There is a security vulnerability of unauthorized access in Apache APISIX Dashboard 2.7-2.10, and the processing information will be announced.
Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.
Apache APISIX Dashboard versions 2.7 - 2.10
Please update to Apache APISIX Dashboard version 2.10.1 and above.
It is recommended that users change their default user name and password in a timely manner and restrict source IP access to the Apache APISIX Dashboard.
Vulnerability public date: December 27, 2021
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-45232
This vulnerability was discovered by Yucheng Zhu of the Security Team at Yuanbao Technology and reported to the Apache Software Foundation. Thank you for your contributions to the Apache APISIX community.