5.3

CVE-2021-33190

EPSS 2.08%
Published 08.06.2021 15:15:08
Last modified 21.11.2024 06:08:28
Source security@apache.org
Teams watchlist Login
Open Login

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Apisix Dashboard Version2.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.08%	0.833

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

http://www.openwall.com/lists/oss-security/2021/06/08/4

Third Party Advisory

Mailing List

https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2021-33190

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-33190

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-33190

EUVD