<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[SECURITY] CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: YuanSheng Wang <membphis () apache org>
Date: Mon, 7 Dec 2020 21:18:01 +0800
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
APISIX 1.2, 1.3, 1.4, 1.5.
Description:
The user enabled the Admin API and deleted the Admin API access IP
restriction rules.
Eventually, the default token is allowed to access APISIX management data.
Mitigation:
APISIX 1.2 ~ 1.5 upgrade to 2.0
Or users can apply this patch:
https://github.com/apache/apisix/pull/2244
Credit:
This issue was discovered by "国家信息安全漏洞共享平台".
--
*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[SECURITY] CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability YuanSheng Wang (Dec 07)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->