CVE-2020-13945

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-13945

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13945.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-13945

Aliases

BIT-apisix-2020-13945

Published

2020-12-07T20:15:12Z

Modified

2024-11-21T05:02:12Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.

References

http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E

Affected packages

Git / github.com/apache/apisix

Affected ranges

Type: GIT
Repo: https://github.com/apache/apisix
Events: Introduced

3465713d3cd58b600f975d52013f347ea4e6ca4a

Last affected

6c5b52e93ea522009355643feb9d8c5a84e4baf4