ID

VAR-202012-0118


CVE

CVE-2020-13945


TITLE

Apache APISIX  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-014822

DESCRIPTION

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5. Apache APISIX Contains an unspecified vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // VULMON: CVE-2020-13945

AFFECTED PRODUCTS

vendor:apachemodel:apisixscope:gteversion:1.2

Trust: 1.0

vendor:apachemodel:apisixscope:lteversion:1.5

Trust: 1.0

vendor:apachemodel:apisixscope:eqversion:1.3

Trust: 0.8

vendor:apachemodel:apisixscope:eqversion:1.5

Trust: 0.8

vendor:apachemodel:apisixscope:eqversion: -

Trust: 0.8

vendor:apachemodel:apisixscope:eqversion:1.4

Trust: 0.8

vendor:apachemodel:apisixscope:eqversion:1.2

Trust: 0.8

sources: JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2020-13945
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-202012-424
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-13945
value: MEDIUM

Trust: 0.1

NVD:
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2020-13945
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.9

NVD:
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2020-13945
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945 // CNNVD: CNNVD-202012-424

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Other (CWE-Other) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-424

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202012-424

CONFIGURATIONS

sources: NVD: CVE-2020-13945

PATCH

title:[SECURITY] CVE-2020-13945url:https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3cdev.apisix.apache.org%3e

Trust: 0.8

title:Apache Apisix Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=137138

Trust: 0.6

title: - url:https://github.com/yutusec/apisix_crack

Trust: 0.1

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // CNNVD: CNNVD-202012-424

EXTERNAL IDS

db:NVDid:CVE-2020-13945

Trust: 2.5

db:PACKETSTORMid:166228

Trust: 1.7

db:JVNDBid:JVNDB-2020-014822

Trust: 0.8

db:CNNVDid:CNNVD-202012-424

Trust: 0.6

db:VULMONid:CVE-2020-13945

Trust: 0.1

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945 // CNNVD: CNNVD-202012-424

REFERENCES

url:https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3cdev.apisix.apache.org%3e

Trust: 1.7

url:http://packetstormsecurity.com/files/166228/apache-apisix-remote-code-execution.html

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-13945

Trust: 1.4

url:https://cwe.mitre.org/data/definitions/.html

Trust: 0.1

url:https://github.com/yutusec/apisix_crack

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://seclists.org/oss-sec/2020/q4/187

Trust: 0.1

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945 // CNNVD: CNNVD-202012-424

SOURCES

db:VULMONid:CVE-2020-13945
db:JVNDBid:JVNDB-2020-014822
db:NVDid:CVE-2020-13945
db:CNNVDid:CNNVD-202012-424

LAST UPDATE DATE

2023-12-18T12:49:24.001000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2020-13945date:2022-04-19T00:00:00
db:JVNDBid:JVNDB-2020-014822date:2021-09-01T04:52:00
db:NVDid:CVE-2020-13945date:2022-04-19T15:43:07.427
db:CNNVDid:CNNVD-202012-424date:2022-03-08T00:00:00

SOURCES RELEASE DATE

db:VULMONid:CVE-2020-13945date:2020-12-07T00:00:00
db:JVNDBid:JVNDB-2020-014822date:2021-09-01T00:00:00
db:NVDid:CVE-2020-13945date:2020-12-07T20:15:12.557
db:CNNVDid:CNNVD-202012-424date:2020-12-07T00:00:00