Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation.
There is a default key vulnerability in Apache Apisix. The user enables the management API and deletes the IP restriction rule for accessing the management API, which allows attackers to access APISIX management data and upload malicious scripts to execute arbitrary commands and take over server permissions.
", "Product": "Apache APISIX", "Homepage": "http://apisix.apache.org/", "DisclosureDate": "2022-01-04", "Author": "1291904552@qq.com", "FofaQuery": "title=\"Apache APISIX Dashboard\"", "GobyQuery": "title=\"Apache APISIX Dashboard\"", "Level": "2", "Impact": "There is a default key vulnerability in Apache Apisix. The user enables the management API and deletes the IP restriction rule for accessing the management API, which allows attackers to access APISIX management data and upload malicious scripts to execute arbitrary commands and take over server permissions.
", "Recommendation": "The vendor has released a bug fix, please pay attention to the update in time: https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
1. Set access policies and whitelist access through security devices such as firewalls.
2. If not necessary, prohibit public network access to the system.
", "Translation": { "CN": { "Name": "Apache APISIX 默认秘钥导致远程命令执行漏洞 (CVE-2020-13945)", "VulType": ["命令执行"], "Tags": ["命令执行"], "Description": "Apache Apisix是Apache基金会的一个云原生的微服务API网关服务。
Apache Apisix存在默认密钥漏洞,用户启用了管理API并删除了管理API访问IP限制规则,导致允许攻击者访问APISIX管理数据并上传恶意脚本执行任意命令,接管服务器权限。
", "Impact": "Apache Apisix存在默认密钥漏洞,用户启用了管理API并删除了管理API访问IP限制规则,导致允许攻击者访问APISIX管理数据并上传恶意脚本执行任意命令,接管服务器权限。
", "Product": "Apache APISIX", "Recommendation": "⼚商已发布了漏洞修复程序,请及时关注更新:https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
1、通过防⽕墙等安全设备设置访问策略,设置⽩名单访问。
2、如⾮必要,禁⽌公⽹访问该系统。
" }, "EN": { "Name": "Apache APISIX Admin API Default Access Token (CVE-2020-13945)", "VulType": ["rce"], "Tags": ["rce"], "Description": "Apache Apisix is a cloud-native microservice API gateway service of the Apache Foundation.
There is a default key vulnerability in Apache Apisix. The user enables the management API and deletes the IP restriction rule for accessing the management API, which allows attackers to access APISIX management data and upload malicious scripts to execute arbitrary commands and take over server permissions.
", "Impact": "There is a default key vulnerability in Apache Apisix. The user enables the management API and deletes the IP restriction rule for accessing the management API, which allows attackers to access APISIX management data and upload malicious scripts to execute arbitrary commands and take over server permissions.
", "Product": "Apache APISIX", "Recommendation": "The vendor has released a bug fix, please pay attention to the update in time: https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E
1. Set access policies and whitelist access through security devices such as firewalls.
2.If not necessary, prohibit public network access to the system.
" } }, "References": [ "https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-13945.yaml" ], "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "id" } ], "ExpTips": null, "ScanSteps": null, "Tags": [ "rce" ], "VulType": [ "rce" ], "CVEIDs": [ "CVE-2020-13945" ], "CVSSScore": "9.0", "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null }, "CNNVD": [ "CNNVD-202012-424" ], "CNVD": [ "CNVD-2021-06957" ] }