CVE-2021-45232
CRITICAL NUCLEIApache APISIX Dashboard < 2.10.1 - Unauthenticated API Access via Gin Framework Bypass
Title source: llmExploitation Summary
EIP tracks 9 public exploits for CVE-2021-45232. PoCs published by wuppp, YutuSec, fany0r. A Nuclei detection template is also available.
AI-analyzed exploit summary This PoC exploits CVE-2021-45232, an RCE vulnerability in Apache APISIX Dashboard. It leverages the migrate/import endpoint to inject a malicious route configuration that executes arbitrary commands via Lua script.
Description
In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin`, all APIs and authentication middleware are developed based on framework `droplet`, but some API directly use the interface of framework `gin` thus bypassing the authentication.
Exploits (9)
This PoC exploits CVE-2021-45232, an RCE vulnerability in Apache APISIX Dashboard. It leverages the migrate/import endpoint to inject a malicious route configuration that executes arbitrary commands via Lua script.
This repository contains a Go-based exploit for CVE-2021-45232, an unauthenticated API access vulnerability in Apache APISIX. The PoC checks for unauthenticated access to the admin API and demonstrates command execution via route manipulation.
This PoC exploits CVE-2021-45232, an unauthorized access vulnerability in Apache APISIX Dashboard, to achieve remote code execution (RCE) by importing a malicious route configuration that executes arbitrary commands via Lua script injection.
This repository provides a description and proof-of-concept for CVE-2021-45232, an authentication bypass vulnerability in Apache APISIX Dashboard. The vulnerability allows unauthorized access to the `/apisix/admin/migrate/export` endpoint due to inconsistent framework usage (gin vs. droplet).
This repository provides a writeup and basic PoC for CVE-2021-45232, an unauthorized access vulnerability in Apache APISIX Dashboard. It includes FOFA queries, affected versions, and mitigation steps but lacks functional exploit code.
This repository contains a Python script to scan for CVE-2021-45232, an unauthorized access vulnerability in Apache APISIX Dashboard, and also checks for default credentials. It performs HTTP requests to specific endpoints to detect the vulnerability and logs results.
This repository contains a README with images and links related to CVE-2021-45232 but lacks actual exploit code or technical details. It appears to be a placeholder or informational writeup.
This repository provides a proof-of-concept for CVE-2021-45232, an unauthenticated RCE vulnerability in Apache APISIX Dashboard versions prior to 2.10.1. The exploit leverages an unauthenticated API endpoint to achieve remote code execution.
This repository provides a scanner for CVE-2021-45232, an authentication bypass vulnerability in Apache APISIX Dashboard versions prior to 2.10.1. The vulnerability arises from inconsistent framework usage, allowing unauthorized access to certain APIs.
Nuclei Templates (1)
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H