CVE-2021-45232: Apache APISIX Dashboard: security vulnerability on unauthorized access

[JunXu Chen <chenjunxu () apache org>]

Severity: high

Description:

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two
frameworks and introduces framework `droplet` on the basis of
framework `gin`, all APIs and authentication middleware are developed
based on framework `droplet`, but some API directly use the interface
of framework `gin` thus bypassing the authentication.

Mitigation:

Implement one of the following mitigation techniques:

1. Upgrade to release 2.10.1

2. Change the default username and password, restrict the source IP to
access the Apache APISIX Dashboard

Credit:

Independently discovered by ZHU Yucheng of YuanbaoTeach Security Team.