Details of VAR-202106-1173

ID

VAR-202106-1173

CVE

CVE-2021-33190

TITLE

Apache APISIX Dashboard Vulnerability regarding improper restriction of excessive authentication attempts in

Trust: 0.8

sources: JVNDB: JVNDB-2021-008153

DESCRIPTION

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1. Apache APISIX Dashboard Is vulnerable to improper restriction of excessive authentication attempts.Information may be tampered with. Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation. The software is implemented based on OpenResty and etcd, with dynamic routing and plug-in hot loading, suitable for API management under the microservice system. APISIX Dashboard has a security vulnerability in version 2.6. Attackers may use this vulnerability to bypass network restrictions

Trust: 2.16

sources: NVD: CVE-2021-33190 // JVNDB: JVNDB-2021-008153 // CNVD: CNVD-2022-62078

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-62078

AFFECTED PRODUCTS

vendor:	apache	model:	apisix dashboard	scope:	eq	version:	2.6	Trust: 1.8
vendor:	apache	model:	apisix dashboard	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	2.6	Trust: 0.6

sources: CNVD: CNVD-2022-62078 // JVNDB: JVNDB-2021-008153 // NVD: CVE-2021-33190

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-33190
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-33190
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-62078
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-33190
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-62078
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-33190
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-33190
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-62078 // JVNDB: JVNDB-2021-008153 // NVD: CVE-2021-33190

PROBLEMTYPE DATA

problemtype:	CWE-307	Trust: 1.0
problemtype:	Inappropriate restriction of excessive authentication attempts (CWE-307) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-008153 // NVD: CVE-2021-33190

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202106-592

PATCH

title:	Bypass network access control	url:	https://lists.apache.org/thread/zyyzycodf2mz9qwgkz3pp8jgmrtmvopo	Trust: 0.8
title:	Patch for Apache APISIX Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/349311	Trust: 0.6
title:	Apache APISIX Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=153253	Trust: 0.6

sources: CNVD: CNVD-2022-62078 // JVNDB: JVNDB-2021-008153 // CNNVD: CNNVD-202106-592

EXTERNAL IDS

db:	NVD	id:	CVE-2021-33190	Trust: 3.8
db:	OPENWALL	id:	OSS-SECURITY/2021/06/08/4	Trust: 1.6
db:	JVNDB	id:	JVNDB-2021-008153	Trust: 0.8
db:	CNVD	id:	CNVD-2022-62078	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-592	Trust: 0.6

sources: CNVD: CNVD-2022-62078 // JVNDB: JVNDB-2021-008153 // CNNVD: CNNVD-202106-592 // NVD: CVE-2021-33190

REFERENCES

url:	https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3cdev.apisix.apache.org%3e	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2021/06/08/4	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-33190	Trust: 1.4
url:	https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049@%3cdev.apisix.apache.org%3e	Trust: 0.6

sources: CNVD: CNVD-2022-62078 // JVNDB: JVNDB-2021-008153 // CNNVD: CNNVD-202106-592 // NVD: CVE-2021-33190

SOURCES

db:	CNVD	id:	CNVD-2022-62078
db:	JVNDB	id:	JVNDB-2021-008153
db:	CNNVD	id:	CNNVD-202106-592
db:	NVD	id:	CVE-2021-33190

LAST UPDATE DATE

2024-08-14T13:54:02.690000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-62078	date:	2022-09-07T00:00:00
db:	JVNDB	id:	JVNDB-2021-008153	date:	2022-03-04T08:56:00
db:	CNNVD	id:	CNNVD-202106-592	date:	2021-06-09T00:00:00
db:	NVD	id:	CVE-2021-33190	date:	2023-11-07T03:35:48.893

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-62078	date:	2022-09-07T00:00:00
db:	JVNDB	id:	JVNDB-2021-008153	date:	2022-03-04T00:00:00
db:	CNNVD	id:	CNNVD-202106-592	date:	2021-06-08T00:00:00
db:	NVD	id:	CVE-2021-33190	date:	2021-06-08T15:15:08.040