GHSA-fmxq-v8mg-qh25

Suggest an improvement
Source
https://github.com/advisories/GHSA-fmxq-v8mg-qh25
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-fmxq-v8mg-qh25/GHSA-fmxq-v8mg-qh25.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fmxq-v8mg-qh25
Aliases
Published
2023-02-22T21:58:27Z
Modified
2023-11-01T05:01:22.913824Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
apollo-portal has potential CSRF issue
Details

Impact

A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin.

Patches

Cookie SameSite strategy was set to Lax in #4664 and was released in v2.1.0.

Workarounds

To fix the potential issue without upgrading, simply follow the advice that does not visit unknown source pages.

References

Apollo Security Guidence

For more information

If you have any questions or comments about this advisory: * Open an issue in issue * Email us at apollo-config@googlegroups.com

Database specific
{
    "nvd_published_at": "2023-02-20T16:15:00Z",
    "github_reviewed_at": "2023-02-22T21:58:27Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Maven / com.ctrip.framework.apollo:apollo

Package

Name
com.ctrip.framework.apollo:apollo
View open source insights on deps.dev
Purl
pkg:maven/com.ctrip.framework.apollo/apollo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0

Affected versions

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.3.0
1.4.0
1.5.0
1.5.1
1.6.0
1.6.2
1.7.0
1.8.0
1.9.0
1.9.1
1.9.2

2.*

2.0.0-RC1
2.0.0
2.0.1