CVE-2020-13945 : What You Need to Know

Apache APISIX versions 1.2, 1.3, 1.4, and 1.5 are affected by a vulnerability that allows the default token to access management data when the Admin API IP restriction rules are deleted.

Understanding CVE-2020-13945

Apache APISIX is impacted by a security issue related to the default access token for the Admin API.

What is CVE-2020-13945?

The vulnerability in Apache APISIX arises when the user enables the Admin API and removes the IP restriction rules, permitting the default token to access APISIX management data.

The Impact of CVE-2020-13945

This vulnerability affects versions 1.2, 1.3, 1.4, and 1.5 of Apache APISIX, potentially leading to unauthorized access to sensitive management data.

Technical Details of CVE-2020-13945

Apache APISIX vulnerability details and affected systems.

Vulnerability Description

The issue involves the default token being able to access APISIX management data due to deleted Admin API IP restriction rules.

Affected Systems and Versions

Product: Apache APISIX
Vendor: Apache Software Foundation
Versions: 1.2, 1.3, 1.4, 1.5

Exploitation Mechanism

The vulnerability allows unauthorized access to APISIX management data by exploiting the default token when Admin API IP restriction rules are deleted.

Mitigation and Prevention

Steps to address and prevent the CVE-2020-13945 vulnerability.

Immediate Steps to Take

Reinstate and properly configure Admin API IP restriction rules.
Monitor access to APISIX management data for any unauthorized activity.

Long-Term Security Practices

Regularly review and update access control policies for Apache APISIX.
Conduct security audits to identify and address potential vulnerabilities.

Patching and Updates

Apply patches or updates provided by Apache Software Foundation to fix the vulnerability in affected versions of Apache APISIX.