====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN308
_____________________________________________________________________

DATE                : 08/06/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache APISIX Dashboard versions
                                       prior to 2.6.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/apisix-dev/202106.mbox/%3cCAMikTu5EMKjehMu5gHGo5RUPOtVbwhdhibmrOX3du1HAWqqdbQ@mail.gmail.com%3e
_____________________________________________________________________

Severity: important

Description:

In Apache APISIX Dashboard version 2.6, we changed the default value of
listen host to 0.0.0.0 in order to facilitate users to configure
external network access. In the IP allowed list restriction, a risky
function was used for the IP acquisition, which made it possible to
bypass the network limit. At the same time, the default account and
password are fixed.Ultimately these factors lead to the issue of
security risks.  This issue is fixed in APISIX Dashboard 2.6.1.


Mitigation:

1. Change the account password after installation, do not use the
default password.

2. Upgrade to 2.6.1 or newer.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================