CVE-2020-11710 Overview
CVE-2020-11710 is a security misconfiguration vulnerability affecting Kong's docker-compose deployment templates through version 2.0.3. The vulnerability allows the Kong admin API port to be accessible on network interfaces other than the localhost (127.0.0.1), potentially exposing sensitive administrative functionality to unauthorized remote attackers.
It's important to note that the vendor disputes this CVE's scope, arguing that this issue only affects the docker-compose template used for quick development setup, not the Kong Docker image or Kong gateway itself. The vendor emphasizes that the docker-compose template is intended for development purposes only and that proper security documentation for protecting the admin API has been available since 2017.
Critical Impact
Unauthenticated remote attackers may gain full administrative access to Kong API Gateway instances, enabling them to modify routing configurations, access sensitive data, and potentially compromise downstream services.
Affected Products
- Kong docker-kong through version 2.0.3
- Docker-compose deployments using default templates
Discovery Timeline
- April 12, 2020 - CVE-2020-11710 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-11710
Vulnerability Analysis
This vulnerability stems from an insecure default configuration in Kong's docker-compose deployment template. When users deploy Kong using the provided docker-compose files without following security best practices, the admin API becomes bound to all network interfaces (0.0.0.0) rather than being restricted to localhost only. This misconfiguration exposes the powerful administrative interface to any network-accessible attacker.
The Kong Admin API provides extensive control over the API gateway, including the ability to add, modify, or delete routes, plugins, consumers, and upstream configurations. When exposed to untrusted networks, this creates a significant attack surface that can lead to complete compromise of the API gateway infrastructure.
Root Cause
The root cause is an insecure default configuration in the docker-compose template that binds the admin API listener to all available network interfaces rather than restricting it to the loopback interface (127.0.0.1). While the vendor argues this is a development template not intended for production use, deployments that follow the template without additional security hardening remain vulnerable.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker with network access to the exposed admin API port (typically port 8001) can directly interact with the administrative endpoints.
Exploitation involves:
- Scanning for Kong admin API endpoints accessible on non-localhost interfaces
- Connecting to the exposed admin API port without authentication
- Using the admin API to enumerate existing configurations, routes, and plugins
- Modifying gateway configurations to intercept traffic, inject malicious plugins, or redirect requests to attacker-controlled servers
- Potentially pivoting to compromise downstream services or exfiltrate sensitive data passing through the gateway
Detection Methods for CVE-2020-11710
Indicators of Compromise
- Unexpected connections to Kong admin API port (default 8001) from external IP addresses
- Unauthorized modifications to Kong routes, services, or plugin configurations
- New or modified consumers, credentials, or access control lists
- Unusual admin API activity patterns in Kong access logs
Detection Strategies
- Monitor network traffic for connections to port 8001 originating from non-localhost addresses
- Implement audit logging for all admin API operations and review for unauthorized changes
- Use network scanning tools to verify admin API is not accessible from external networks
- Deploy intrusion detection rules to alert on admin API access attempts from unauthorized sources
Monitoring Recommendations
- Configure network-level monitoring to detect and alert on external access attempts to the admin API port
- Implement configuration management tools to detect unauthorized changes to Kong configurations
- Review Docker network configurations to ensure proper isolation of administrative interfaces
- Regularly audit container networking and exposed ports in docker-compose deployments
How to Mitigate CVE-2020-11710
Immediate Actions Required
- Verify that the Kong admin API is bound only to 127.0.0.1 and not accessible from external networks
- Implement network segmentation to restrict access to administrative ports
- Apply firewall rules to block external access to port 8001
- Review Kong configurations for any unauthorized modifications made during potential exposure
Patch Information
Kong has updated their documentation and docker-compose templates to address this issue. The relevant fixes can be found in the Kong Docker Repository Commit and the Kong Documentation Update.
Organizations should update to the latest docker-compose templates and follow Kong's security documentation for properly securing the admin API in production environments.
Workarounds
- Configure the KONG_ADMIN_LISTEN environment variable to bind only to 127.0.0.1:8001 instead of 0.0.0.0:8001
- Implement network-level access controls using Docker network configurations or external firewalls
- Use a reverse proxy with authentication in front of the admin API if remote access is required
- Consider using Kong's Role-Based Access Control (RBAC) features in Kong Enterprise for additional protection
# Secure Kong admin API configuration example
# Set the admin API to listen only on localhost
export KONG_ADMIN_LISTEN="127.0.0.1:8001"
# Alternatively, in docker-compose.yml:
# environment:
# - KONG_ADMIN_LISTEN=127.0.0.1:8001
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
