CVE-2020-13945
First published: Mon Dec 07 2020(Updated: )
In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache APISIX | >=1.2<=1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-13945?
CVE-2020-13945 is a vulnerability in Apache APISIX that occurs when the user enables the Admin API and deletes the Admin API access IP restriction rules, allowing the default token to access APISIX management data.
Which versions of Apache APISIX are affected by CVE-2020-13945?
Versions 1.2, 1.3, 1.4, and 1.5 of Apache APISIX are affected by CVE-2020-13945.
What is the severity of CVE-2020-13945?
CVE-2020-13945 has a severity keyword of 'medium' and a severity value of 6.5.
How can I fix CVE-2020-13945?
To fix CVE-2020-13945, you should implement proper IP restriction rules for the Admin API in Apache APISIX.
Where can I find more information about CVE-2020-13945?
You can find more information about CVE-2020-13945 at the following references: [1] http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html [2] https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
- collector/nvd-index
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/last-modified-date
- agent/remedy
- agent/references
- agent/severity
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- vendor/apache
- canonical/apache apisix
- version/apache apisix/1.2
- version/apache apisix/1.5