GHSA-368x-wmmg-hq5c

Suggest an improvement
Source
https://github.com/advisories/GHSA-368x-wmmg-hq5c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-368x-wmmg-hq5c/GHSA-368x-wmmg-hq5c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-368x-wmmg-hq5c
Aliases
Published
2023-02-22T21:58:33Z
Modified
2023-11-01T05:01:22.975960Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apollo has potential access control security issue in eureka
Details

Impact

If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .

Patches

Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in v2.1.0.

Workarounds

To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.

References

Apollo Security Guidence

For more information

If you have any questions or comments about this advisory: * Open an issue in issue * Email us at apollo-config@googlegroups.com

Database specific 
{
    "nvd_published_at": "2023-02-20T16:15:00Z",
    "github_reviewed_at": "2023-02-22T21:58:33Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ]
}
References

Affected packages

Maven / com.ctrip.framework.apollo:apollo

Package

Name
com.ctrip.framework.apollo:apollo
View open source insights on deps.dev
Purl
pkg:maven/com.ctrip.framework.apollo/apollo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0

Affected versions

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.5.1
1.6.0
1.6.2
1.7.0
1.8.0
1.9.0
1.9.1
1.9.2

2.*

2.0.0-RC1
2.0.0
2.0.1