CVE-2019-10686 – com.ctrip.framework.apollo:apollo

Package

Manager: maven
Name: com.ctrip.framework.apollo:apollo
Vulnerable Version: >=0 <=1.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0035 pctl0.56785

Details

Server-Side Request Forgery (SSRF) in com.ctrip.framework.apollo:apollo An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via `/system-info/health` because the `%23` substring is mishandled.

Metadata

Created: 2019-04-18T14:27:42Z
Modified: 2023-09-05T23:27:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-fvx3-g627-phm2/GHSA-fvx3-g627-phm2.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-fvx3-g627-phm2
Finding: F100
Auto approve: 1