CVE-2020-13945

Опубликовано: 07 дек. 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Критический

Описание

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.

Ссылки

http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
Mailing List
Patch
Vendor Advisory
http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
Mailing List
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

Версия от 1.2 (включая) до 1.5 (включая)

EPSS

Процентиль: 100%

0.93434

Критический

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-c538-784j-qcxc