声明 此处提供的漏洞检测方法、文件等内容,均仅限于安全从业者在获得法律授权的情况下使用,目的是检测已授权的服务器的安全性。安全从业者务必遵守法律规定,禁止在没有得到授权的情况下做任何漏洞检测。 简介 漏洞分析 - Kong未授权访问漏洞(CVE-2020-11710) 检测方法1 # 查看 # 注
An issue exists in docker-kong (for Kong) up to and including 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1. NOTE: The vendor argue that this CVE is not a vulnerability because it has an inaccurate bug scope and patch links. “1) Inaccurate Bug Scope - The issue scope was on Kong's docker-compose template, and not Kong's docker image itself. In reality, this issue is not associated with any version of the Kong gateway. As such, the description stating ‘An issue exists in docker-kong (for Kong) up to and including 2.0.3.’ is incorrect. This issue only occurs if a user decided to spin up Kong via docker-compose without following the security documentation. The docker-compose template is meant for users to quickly get started with Kong, and is meant for development purposes only. 2) Incorrect Patch Links - The CVE currently points to a documentation improvement as a “Patch” link: github.com/Kong/docs.konghq.com/commit/d693827c32144943a2f45abc017c1321b33ff611.This link actually points to an improvement Kong Inc made for fool-proofing. However, instructions for how to protect the admin API were already well-documented here: docs.konghq.com/2.0.x/secure-admin-api/#network-layer-access-restrictions , which was first published back in 2017 (as shown in this commit: github.com/Kong/docs.konghq.com/commit/e99cf875d875dd84fdb751079ac37882c9972949) Lastly, the hyperlink to github.com/Kong/kong (an unrelated Github Repo to this issue) on the Hyperlink list does not include any meaningful information on this topic.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
konghq docker-kong |