CVE-2021-45232
security vulnerability on unauthorized access.
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
8
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
En Apache APISIX Dashboard versiones anteriores a 2.10.1, la API del Administrador usa dos frameworks e introduce el framework "droplet" sobre la base del framework "gin", todas las APIs y el middleware de autenticación se desarrollan sobre la base del framework "droplet", pero algunas APIs usan directamente la interfaz del framework "gin" omitiendo así la autenticación
*Credits:
Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-12-18 CVE Reserved
- 2021-12-27 CVE Published
- 2021-12-28 First Exploit
- 2024-08-04 CVE Updated
- 2024-11-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/12/27/1 | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/GYLQ/CVE-2021-45232-RCE | 2022-01-13 | |
| https://github.com/jxpsx/CVE-2021-45232-RCE | 2021-12-28 | |
| https://github.com/fany0r/CVE-2021-45232-RCE | 2023-06-24 | |
| https://github.com/dskho/CVE-2021-45232 | 2021-12-29 | |
| https://github.com/yggcwhat/CVE-2021-45232 | 2022-01-08 | |
| https://github.com/LTiDi2000/CVE-2021-45232 | 2021-12-28 | |
| https://github.com/badboycxcc/CVE-2021-45232-POC | 2021-12-28 | |
| https://github.com/Osyanina/westone-CVE-2021-45232-scanner | 2021-12-28 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/979qbl6vlm8269fopfyygnxofgqyn6k5 | 2022-01-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Apisix Dashboard Search vendor "Apache" for product "Apisix Dashboard" | < 2.10.1 Search vendor "Apache" for product "Apisix Dashboard" and version " < 2.10.1" | - |
Affected
| ||||||