CVE-2021-45232 PoC — security vulnerability on unauthorized access.

Source

https://github.com/Ilovewomen/cve-2021-45232

Associated Vulnerability

Title:security vulnerability on unauthorized access. (CVE-2021-45232)
Description:In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.

Readme

# cve-2021-45232

漏洞描述

Apache APISIX 是一个动态、实时、高性能的 API 网关， 提供负载均衡、动态上游、灰度发布、服务熔断、身份认证、可观测性等丰富的流量管理功能。Apache APISIX Dashboard 使用户可通过前端界面操作 Apache APISIX。

该漏洞的存在是由于 Manager API 中的错误。Manager API 在 gin 框架的基础上引入了 droplet 框架，所有的 API 和鉴权中间件都是基于 droplet 框架开发的。但是有些 API 直接使用了框架 gin 的接口，从而绕过身份验证。

该漏洞危害等级：高危

CVE 编号
CVE-2021-45232

影响范围

Apache APISIX Dashboard < 2.10.1

poc:

ip+port/apisix/admin/migrate/export

![image](https://user-images.githubusercontent.com/90023952/147618346-d02d8854-9da6-4626-b7f3-ed78e12d0181.png)
![image](https://user-images.githubusercontent.com/90023952/147618415-aed9d7dd-0e3e-4fa9-8128-ddda2d557857.png)

File Snapshot


 [4.0K]  /data/pocs/99149d16770694f8cc38f0cd0b2598962fd4cd4d
└── [ 955]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!