Description
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1
References (2)
Core 2
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/re736aea55e8fd2478f0739c0c38a9375c4204fc1f0bd1ea687f57049%40%3Cdev.apisix.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/06/08/4
Scores
CVSS v3
5.3
EPSS
0.0027
EPSS Percentile
50.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-307
Status
published
Products (1)
apache/apisix_dashboard
2.6
Published
Jun 08, 2021
Tracked Since
Feb 18, 2026