There is a security vulnerability of unauthorized access in Apache APISIX Dashboard 2.7-2.10, and the processing information will be announced.
Problem description
Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.
Affected Versions
Apache APISIX Dashboard versions 2.7 - 2.10
Solution
Please update to Apache APISIX Dashboard version 2.10.1 and above.
Security Recommendations
It is recommended that users change their default user name and password in a timely manner and restrict source IP access to the Apache APISIX Dashboard.
Vulnerability details
Vulnerability public date: December 27, 2021
CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-45232
Contributor Profile
This vulnerability was discovered by Yucheng Zhu of the Security Team at Yuanbao Technology and reported to the Apache Software Foundation. Thank you for your contributions to the Apache APISIX community.
