GHSA-c6c3-h4f7-3962
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c6c3-h4f7-3962
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-c6c3-h4f7-3962/GHSA-c6c3-h4f7-3962.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c6c3-h4f7-3962
- Aliases
- Published
- 2024-08-20T18:36:40Z
- Modified
- 2024-08-20T18:58:55.526196Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- apollo-portal has potential unauthorized access issue
- Details
-
Impact
A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions.
Patches
The issue was addressed with an input parameter check in #5192, which was released in version 2.3.0.
Workarounds
To mitigate the issue without upgrading, follow the recommended practices to prevent Apollo from being exposed to the internet.
Credits
The vulnerability was reported and reproduced by Lakeswang.
References
For any questions or comments regarding this advisory: * Open an issue in issue * Email us at apollo-config@googlegroups.com
- Database specific
{ "nvd_published_at": "2024-08-20T15:15:23Z", "cwe_ids": [ "CWE-284" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-20T18:36:40Z" }- References
-
- https://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962
- https://nvd.nist.gov/vuln/detail/CVE-2024-43397
- https://github.com/apolloconfig/apollo/pull/5192
- https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed
- https://github.com/apolloconfig/apollo
- https://github.com/apolloconfig/apollo/releases/tag/v2.3.0
Affected packages
Maven / com.ctrip.framework.apollo:apollo
Package
- Name
- com.ctrip.framework.apollo:apollo
- View open source insights on deps.dev
- Purl
- pkg:maven/com.ctrip.framework.apollo/apollo