If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have built-in access control. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations.
Access control for admin service was added in #3233 and was released in v1.7.1.
To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Lexu reported the issue and provided the required information to reproduce it.
If you have any questions or comments about this advisory: * Open an issue * Email to one of the active project maintainers
{ "nvd_published_at": "2020-09-10T19:15:00Z", "github_reviewed_at": "2020-10-02T16:32:24Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-20" ] }