CVE-2021-45232 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2021-45232?

CVE-2021-45232 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication in Apache APISIX Dashboard by directly accessing APIs through the gin framework interface instead of the droplet framework where authentication is enforced. It affects all Apache APISIX Dashboard deployments before version 2.10.1. This enables unauthorized access to administrative functions.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Apache APISIX Dashboard by directly accessing APIs through the gin framework interface instead of the droplet framework where authentication is enforced. It affects all Apache APISIX Dashboard deployments before version 2.10.1. This enables unauthorized access to administrative functions.

💻 Affected Systems

Products:

Apache APISIX Dashboard

Versions: All versions before 2.10.1

Operating Systems: All operating systems running APISIX Dashboard

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable dashboard version are affected regardless of configuration.

📦 What is this software?

Apisix Dashboard by Apache

View all CVEs affecting Apisix Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the APISIX Dashboard allowing attackers to reconfigure API routes, modify security policies, inject malicious code, or gain control over the entire API gateway infrastructure.

🟠

Likely Case

Unauthorized administrative access leading to configuration changes, data exposure, or service disruption through API route manipulation.

🟢

If Mitigated

Limited impact if network segmentation restricts dashboard access and proper authentication controls are in place elsewhere.

🌐 Internet-Facing: HIGH - Internet-facing dashboards are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal dashboards remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it involves direct API calls bypassing authentication middleware.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.1

Vendor Advisory: https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5

Restart Required: Yes

Instructions:

1. Stop the APISIX Dashboard service. 2. Upgrade to version 2.10.1 or later. 3. Restart the service. 4. Verify the fix by testing authentication requirements.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to the dashboard management interface using firewall rules.

iptables -A INPUT -p tcp --dport 9000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate the dashboard from untrusted networks
Deploy a web application firewall (WAF) with authentication bypass detection rules

🔍 How to Verify

Check if Vulnerable:

Check the dashboard version via the web interface or by examining the deployment configuration. Versions before 2.10.1 are vulnerable.

Check Version:

curl -s http://dashboard-host:port/apisix/admin/routes | grep version or check dashboard web interface

Verify Fix Applied:

After patching, attempt to access dashboard APIs without authentication. All requests should return authentication errors.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated API requests to dashboard endpoints
Authentication bypass attempts in access logs
Unusual administrative actions from unexpected IP addresses

Network Indicators:

Direct API calls to dashboard endpoints without authentication headers
Traffic to dashboard management port from unauthorized sources

SIEM Query:

source="apisix-dashboard" AND (status=200 OR status=201) AND NOT (user!="" OR auth_token!="")

📊 Metadata

CVE ID: CVE-2021-45232

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: December 27, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/12/27/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2021/12/27/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45232, you might also want to check these: