.. / CVE-2021-45232

Exploit for Apache APISIX Dashboard <2.10.1 - API Unauthorized Access (CVE-2021-45232)

Description:

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework droplet on the basis of framework gin.' While all APIs and authentication middleware are developed based on framework droplet, some API directly use the interface of framework gin` thus bypassing their authentication.

Nuclei Template

View the template here CVE-2021-45232.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2021/CVE-2021-45232.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-45232
https://github.com/pingpongcult/CVE-2021-45232
https://apisix.apache.org/zh/blog/2021/12/28/dashboard-cve-2021-45232/
https://github.com/wuppp/cve-2021-45232-exp
https://github.com/advisories/GHSA-wcxq-f256-53xp
https://twitter.com/403Timeout/status/1475715079173976066

.. / CVE-2021-45232 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Apache APISIX Dashboard <2.10.1 - API Unauthorized Access (CVE-2021-45232)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2021-45232