Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-13945 — Apache Apisix vulnerability

4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

93.4%

top 0.18%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Apisix Apache Software Foundation Apache Apisix

Timeline

PublishedDec 7

Latest updateMay 24

Description

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/apisix1.2 — 1.5

▶CVEListV5apache_software_foundation/apache_apisix4 versions+3

Patches

Patch: lists.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-c538-784j-qcxc: In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules↗2022-05-24

▶

CVEList

CVE-2020-13945: In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules↗2020-12-07

▶

💥Exploits & PoCs

Nuclei

Apache APISIX - Insufficiently Protected Credentials

▶