{"api_version":"1","generated_at":"2026-04-22T17:46:51+00:00","cve":"CVE-2020-13945","urls":{"html":"https://cve.report/CVE-2020-13945","api":"https://cve.report/api/cve/CVE-2020-13945.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-13945","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-13945"},"summary":{"title":"CVE-2020-13945","description":"In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2020-12-07 20:15:00","updated_at":"2022-04-19 15:43:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"Apache APISIX Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E","name":"https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E","refsource":"CONFIRM","tags":["Mailing List","Patch","Vendor Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-13945","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13945","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"13945","vulnerable":"1","versionEndIncluding":"1.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"apisix","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-13945","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache APISIX","version":{"version_data":[{"version_value":"1.2"},{"version_value":"1.3"},{"version_value":"1.4"},{"version_value":"1.5"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Admin API default access token vulnerability"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E","url":"https://lists.apache.org/thread.html/r792feb29964067a4108f53e8579a1e9bd1c8b5b9bc95618c814faf2f%40%3Cdev.apisix.apache.org%3E"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/166228/Apache-APISIX-Remote-Code-Execution.html"}]},"description":{"description_data":[{"lang":"eng","value":"In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5."}]}},"nvd":{"publishedDate":"2020-12-07 20:15:00","lastModifiedDate":"2022-04-19 15:43:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*","versionStartIncluding":"1.2","versionEndIncluding":"1.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"13945","Ordinal":"175171","Title":"CVE-2020-13945","CVE":"CVE-2020-13945","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"13945","Ordinal":"1","NoteData":"In Apache APISIX, the user enabled the Admin API and deleted the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. This affects versions 1.2, 1.3, 1.4, 1.5.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"13945","Ordinal":"2","NoteData":"2020-12-07","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"13945","Ordinal":"3","NoteData":"2020-12-07","Type":"Other","Title":"Modified"}]}}}