CVE-2021-33190

CVE-2021-33190 is a medium-severity vulnerability in Apache Apisix Dashboard with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-307.

Key facts

Description

In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1

Frequently asked questions

What is CVE-2021-33190?
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1
How severe is CVE-2021-33190?
CVE-2021-33190 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2021-33190 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (84th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-33190?
CVE-2021-33190 affects Apache Apisix Dashboard. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-33190?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-33190 published?
CVE-2021-33190 was published on 2021-06-08 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Apache Apisix Dashboard

All CVEs affecting Apache Apisix Dashboard →

Other CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerabilities

Browse all CWE-307 (Improper Restriction of Excessive Authentication Attempts) vulnerabilities →