You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apisix.apache.org by YuanSheng Wang <me...@apache.org> on 2020/12/07 13:16:55 UTC
[SECURITY] CVE-2020-13945: Apache APISIX's Admin API default access
token vulnerability
CVE-2020-13945: Apache APISIX's Admin API default access token vulnerability
Severity: low
Vendor:
The Apache Software Foundation
Versions Affected:
APISIX 1.2, 1.3, 1.4, 1.5.
Description:
The user enabled the Admin API and deleted the Admin API access IP
restriction rules.
Eventually, the default token is allowed to access APISIX management data.
Mitigation:
APISIX 1.2 ~ 1.5 upgrade to 2.0
Or users can apply this patch:
https://github.com/apache/apisix/pull/2244
Credit:
This issue was discovered by "国家信息安全漏洞共享平台".
--
*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix