====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN659
_____________________________________________________________________

DATE                : 07/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache APISIX versions prior to
                                            2.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/apisix-dev/202012.mbox/%3cCAKzgDd3y7g7NO0=c5HkhBV=_MH1TFVcX=CqWrQuuVKzvwdBu_A@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability

Severity: low

Vendor:
The Apache Software Foundation

Versions Affected:
APISIX 1.2, 1.3, 1.4, 1.5.


Description:
The user enabled the Admin API and deleted the Admin API access IP
restriction rules.
Eventually, the default token is allowed to access APISIX management data.


Mitigation:
APISIX 1.2 ~ 1.5 upgrade to 2.0

Or users can apply this patch:
https://github.com/apache/apisix/pull/2244


Credit:
This issue was discovered by "国家信息安全漏洞共享平台".

-- 

*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================