oss-sec mailing list archives

[SECURITY] CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability

From: YuanSheng Wang <membphis () apache org>
Date: Mon, 7 Dec 2020 21:18:01 +0800

CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
APISIX 1.2, 1.3, 1.4, 1.5.

Description:
The user enabled the Admin API and deleted the Admin API access IP
restriction rules.
Eventually, the default token is allowed to access APISIX management data.

Mitigation:
APISIX 1.2 ~ 1.5 upgrade to 2.0

Or users can apply this patch:
https://github.com/apache/apisix/pull/2244

Credit:
This issue was discovered by "国家信息安全漏洞共享平台".

-- 

*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix

Current thread:

[SECURITY] CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability YuanSheng Wang (Dec 07)