Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add CVE-45232 post #829

Merged
merged 8 commits into from
Dec 28, 2021
46 changes: 46 additions & 0 deletions website/blog/2021/12/28/dashboard-cve-2021-45232.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: "Apache APISIX Dashboard Unauthorized Access Vulnerability Announcement (CVE-2021-45232)"
author: "Yucheng Zhu"
authorURL: "https://github.com/f11t3rStAr"
authorImageURL: "https://avatars.githubusercontent.com/u/71011664?v=4"
keywords:
- Apache APISIX
- APISIX Dashboard
- APISIX Route
- Unauthorized Access
- CVE
description: There is a security vulnerability of unauthorized access in Apache APISIX Dashboard 2.7-2.10, and the processing information will be announced.
tags: [Security]
---

> There is a security vulnerability of unauthorized access in Apache APISIX Dashboard 2.7-2.10, and the processing information will be announced.

<!--truncate-->

## Problem description

Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.

## Affected Versions

Apache APISIX Dashboard versions 2.7 - 2.10

## Solution

Please update to Apache APISIX Dashboard version 2.10.1 and above.

## Security Recommendations

It is recommended that users change their default user name and password in a timely manner and restrict source IP access to the Apache APISIX Dashboard.

## Vulnerability details

Vulnerability public date: December 27, 2021

CVE details: https://nvd.nist.gov/vuln/detail/CVE-2021-45232

## Contributor Profile

This vulnerability was discovered by Yucheng Zhu of the Security Team at Yuanbao Technology and reported to the Apache Software Foundation. Thank you for your contributions to the Apache APISIX community.

![Yuanbao Technology](https://static.apiseven.com/202108/1640324848257-4978eaac-bfd7-4265-82d2-9c024956b933.png)
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: "Apache APISIX Dashboard 未授权访问漏洞公告(CVE-2021-45232)"
author: "朱禹成"
authorURL: "https://github.com/f11t3rStAr"
authorImageURL: "https://avatars.githubusercontent.com/u/71011664?v=4"
keywords:
- Apache APISIX
- APISIX Dashboard
- APISIX Route
- 任意代码执行
- 授权访问
description: 在 Apache APISIX Dashboard 2.7-2.10 版本中出现了未经授权访问的安全漏洞,现将处理信息进行相关公告。
tags: [Security]
---

> 在 Apache APISIX Dashboard 2.7-2.10 版本中出现了未经授权访问的安全漏洞,现将处理信息进行相关公告。

<!--truncate-->

## 问题描述

攻击者无需登录 Apache APISIX Dashboard 即可访问某些接口,从而进行未授权更改或获取 Apache APISIX Route、Upstream、Service 等相关配置信息,并造成 SSRF、攻击者搭建恶意流量代理和任意代码执行等问题。

## 影响版本

Apache APISIX Dashboard 2.7 - 2.10 版本

## 解决方案

请及时更新至 Apache APISIX Dashboard 2.10.1 及以上版本。

## 安全建议

建议用户及时更改默认用户名与密码,并限制来源 IP 访问 Apache APISIX Dashboard。

## 漏洞详情

漏洞公开时间:2021 年 12 月 27 日

CVE 详细信息:https://nvd.nist.gov/vuln/detail/CVE-2021-45232

## 贡献者简介

该漏洞由源堡科技安全团队的朱禹成发现,并向 Apache 软件基金会上报该漏洞。感谢各位对 Apache APISIX 社区的贡献。

![源堡科技](https://static.apiseven.com/202108/1640324848257-4978eaac-bfd7-4265-82d2-9c024956b933.png)