Vulnerability Details : CVE-2021-33190
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1
Products affected by CVE-2021-33190
- cpe:2.3:a:apache:apisix_dashboard:2.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-33190
1.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-33190
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2021-33190
-
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2021-33190
-
http://www.openwall.com/lists/oss-security/2021/06/08/4
oss-security - CVE-2021-33190: Apache APISIX Dashboard: Bypass network access controlMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E
CVE-2021-33190: Apache APISIX Dashboard: Bypass network access control - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049@%3Cdev.apisix.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
Jump to