CVE-2020-13945
N/A
N/A
Summary
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache APISIX | 1.2 | affected |
| Apache Software Foundation | Apache APISIX | 1.3 | affected |
| Apache Software Foundation | Apache APISIX | 1.4 | affected |
| Apache Software Foundation | Apache APISIX | 1.5 | affected |
Weaknesses
- Admin API default access token vulnerability
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
- http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
References
- https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
- http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.