CVE-2021-45232

Опубликовано: 27 дек. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Критический

Описание

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin, all APIs and authentication middleware are developed based on framework droplet, but some API directly use the interface of framework gin thus bypassing the authentication.

Ссылки

http://www.openwall.com/lists/oss-security/2021/12/27/1
Mailing List
Third Party Advisory
https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/12/27/1
Mailing List
Third Party Advisory
https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:apisix_dashboard:*:*:*:*:*:*:*:*

Версия до 2.10.1 (исключая)

EPSS

Процентиль: 100%

0.93877

Критический

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-306

Связанные уязвимости

GHSA-wcxq-f256-53xp

github

около 4 лет назад

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.

BDU:2022-00718