CVE-2020-11710: Kong API Gateway Unauthorized Vulnerability Alert
Recently, Kong issued a risk notification for the Kong Admin Restful API Gateway unauthorized vulnerability. The vulnerability number is CVE-2020-11710, and the vulnerability level is high.
Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway or API Middleware). Made available as an open-source project in 2015, its core values are high performance and extensibility.
Actively maintained, Kong is widely used in production at companies ranging from startups to Global 5000 as well as government organizations.
The Kong API gateway administrator control interface has an unauthorized access vulnerability. An attacker can directly control the API gateway and make it an open traffic proxy through the Kong API gateway administrator control interface to access internal sensitive services.
Kong is usually used by enterprises as an API gateway for cloud-native architectures, and the way of setting up usually follows the official guidelines. 
By default, the Admin Restful API (port: 8001/8444) is also exposed to the public network, resulting in the attacker having full control of all the behavior of the Kong gateway. The actions that an attacker can perform include but are not limited to:
- Add routes to key intranet services
- Make Kong a proxy node to sniff internal services that can be accessed
Affected version
- Kong version 2.0.2 and below
We recommend that users install the latest patches in a timely manner.
