cbcvebase.
CVE-2020-11710
published 2020-04-12

CVE-2020-11710: An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1. NOTE: The vendor…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.83%
98.2th percentile
An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1. NOTE: The vendor argue that this CVE is not a vulnerability because it has an inaccurate bug scope and patch links. “1) Inaccurate Bug Scope - The issue scope was on Kong's docker-compose template, and not Kong's docker image itself. In reality, this issue is not associated with any version of the Kong gateway. As such, the description stating ‘An issue was discovered in docker-kong (for Kong) through 2.0.3.’ is incorrect. This issue only occurs if a user decided to spin up Kong via docker-compose without following the security documentation. The docker-compose template is meant for users to quickly get started with Kong, and is meant for development purposes only. 2) Incorrect Patch Links - The CVE currently points to a documentation improvement as a “Patch” link: https://github.com/Kong/docs.konghq.com/commit/d693827c32144943a2f45abc017c1321b33ff611.This link actually points to an improvement Kong Inc made for fool-proofing. However, instructions for how to protect the admin API were already well-documented here: https://docs.konghq.com/2.0.x/secure-admin-api/#network-layer-access-restrictions , which was first published back in 2017 (as shown in this commit: https://github.com/Kong/docs.konghq.com/commit/e99cf875d875dd84fdb751079ac37882c9972949) Lastly, the hyperlink to https://github.com/Kong/kong (an unrelated Github Repo to this issue) on the Hyperlink list does not include any meaningful information on this topic.

Affected

1 ranges
VendorProductVersion rangeFixed in
konghqdocker-kong<= 2.0.3

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/admin/
otherWelcome to kong AND configuration AND kong_env (HTTP 200)
  • Probe GET {{BaseURL}} and {{BaseURL}}/admin/ for HTTP 200 responses containing all three strings: 'Welcome to kong', 'configuration', and 'kong_env' in the response body to identify an exposed Kong Admin API.
  • Use Shodan query cpe:"cpe:2.3:a:konghq:docker-kong" to identify internet-exposed Kong Admin API instances.
  • The vulnerability arises when the Kong Admin API port is bound to interfaces other than 127.0.0.1, making it remotely accessible without authentication.
  • ·This issue only affects Kong deployments spun up via the docker-compose template, not the Kong docker image itself. It is not triggered in production deployments that follow Kong's security documentation.
  • ·The vendor disputes this CVE, stating the bug scope is inaccurate and that the issue is not associated with any version of the Kong gateway itself.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.