Details of VAR-202012-0118

ID

VAR-202012-0118

CVE

CVE-2020-13945

TITLE

Apache APISIX Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-014822

DESCRIPTION

In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5. Apache APISIX Contains an unspecified vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // VULMON: CVE-2020-13945

AFFECTED PRODUCTS

vendor:	apache	model:	apisix	scope:	gte	version:	1.2	Trust: 1.0
vendor:	apache	model:	apisix	scope:	lte	version:	1.5	Trust: 1.0
vendor:	apache	model:	apisix	scope:	eq	version:	1.3	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	1.5	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	-	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	1.4	Trust: 0.8
vendor:	apache	model:	apisix	scope:	eq	version:	1.2	Trust: 0.8

sources: JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13945
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-13945
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202012-424
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2020-13945
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-13945
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2020-13945
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2020-13945
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // CNNVD: CNNVD-202012-424 // NVD: CVE-2020-13945

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	Other (CWE-Other) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014822 // NVD: CVE-2020-13945

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202012-424

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202012-424

PATCH

title:	[SECURITY] CVE-2020-13945	url:	https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E	Trust: 0.8
title:	Apache Apisix Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137138	Trust: 0.6
title:	-	url:	https://github.com/YutuSec/Apisix_Crack	Trust: 0.1

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // CNNVD: CNNVD-202012-424

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13945	Trust: 2.5
db:	PACKETSTORM	id:	166228	Trust: 1.7
db:	JVNDB	id:	JVNDB-2020-014822	Trust: 0.8
db:	CNNVD	id:	CNNVD-202012-424	Trust: 0.6
db:	VULMON	id:	CVE-2020-13945	Trust: 0.1

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // CNNVD: CNNVD-202012-424 // NVD: CVE-2020-13945

REFERENCES

url:	https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3cdev.apisix.apache.org%3e	Trust: 1.7
url:	http://packetstormsecurity.com/files/166228/apache-apisix-remote-code-execution.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13945	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/yutusec/apisix_crack	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://seclists.org/oss-sec/2020/q4/187	Trust: 0.1

sources: VULMON: CVE-2020-13945 // JVNDB: JVNDB-2020-014822 // CNNVD: CNNVD-202012-424 // NVD: CVE-2020-13945

SOURCES

db:	VULMON	id:	CVE-2020-13945
db:	JVNDB	id:	JVNDB-2020-014822
db:	CNNVD	id:	CNNVD-202012-424
db:	NVD	id:	CVE-2020-13945

LAST UPDATE DATE

2024-08-14T15:42:34.993000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2020-13945	date:	2022-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-014822	date:	2021-09-01T04:52:00
db:	CNNVD	id:	CNNVD-202012-424	date:	2022-03-08T00:00:00
db:	NVD	id:	CVE-2020-13945	date:	2022-04-19T15:43:07.427

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2020-13945	date:	2020-12-07T00:00:00
db:	JVNDB	id:	JVNDB-2020-014822	date:	2021-09-01T00:00:00
db:	CNNVD	id:	CNNVD-202012-424	date:	2020-12-07T00:00:00
db:	NVD	id:	CVE-2020-13945	date:	2020-12-07T20:15:12.557