PT-2021-20072 · Apache · Apache Apisix Dashboard
Junxu Chen
·
Published
2021-06-08
·
Updated
2024-03-06
·
CVE-2021-33190
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Apache APISIX Dashboard version 2.6
Description
The issue arises from a combination of factors, including a change in the default listen host to 0.0.0.0 to facilitate external network access, the use of a risky function for IP acquisition in the IP allowed list restriction, and fixed default account and password. These factors lead to security risks by making it possible to bypass network limits.
Recommendations
For Apache APISIX Dashboard version 2.6, update to version 2.6.1 to resolve the issue. As a temporary workaround, consider restricting access to the IP allowed list restriction feature until the update can be applied. Additionally, changing the default account and password can help minimize the risk of exploitation.
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Apisix Dashboard