CVE-2024-43397 – com.ctrip.framework.apollo:apollo

Package

Manager: maven
Name: com.ctrip.framework.apollo:apollo
Vulnerable Version: >=0 <2.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00128 pctl0.33058

Details

apollo-portal has potential unauthorized access issue ### Impact A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. ### Patches The issue was addressed with an input parameter check in #5192, which was released in version [2.3.0](https://github.com/apolloconfig/apollo/releases/tag/v2.3.0). ### Workarounds To mitigate the issue without upgrading, follow the recommended practices to prevent Apollo from being exposed to the internet. ### Credits The vulnerability was reported and reproduced by [Lakeswang](https://github.com/Lakes-bitgetsec). ### References For any questions or comments regarding this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [apollo-config@googlegroups.com](mailto:apollo-config@googlegroups.com)

Metadata

Created: 2024-08-20T18:36:40Z
Modified: 2024-08-20T18:36:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-c6c3-h4f7-3962/GHSA-c6c3-h4f7-3962.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-c6c3-h4f7-3962
Finding: F039
Auto approve: 1