QwikSec

Security Database

CVE

CWE

Training

CVE-2021-33190

Published: Jun 8, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1

Vendor	Product	Versions
Apache Software Foundation	Apache APISIX Dashboard	affected `Apache APISIX Dashboard 2.6 2.6`

Weaknesses (CWE)

References

https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E

x_refsource_MISC

[apisix-dev] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control

mailing-list

x_refsource_MLIST

[oss-security] 20210608 CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.