On December 27, 2021, Apache issued a risk notice for unauthorized access to the Apache APISIX Dashboard, the vulnerability number is CVE-2021-45232, the vulnerability level is a high risk.
The Apache APISIX Dashboard is designed to make it as easy as possible for users to operate Apache APISIX through a frontend interface. The Dashboard is the control plane and performs all parameter checks; Apache APISIX mixes data and control planes and will evolve to a pure data plane.
Vulnerability Detail
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
Affected version
- Apache APISIX Dashboard < 2.10.1
Solution
In this regard, we recommend that users upgrade to the Apache APISIX Dashboard 2.10.1 version in time or change the default username and password, and restrict the source IP to access the Apache APISIX Dashboard.
