Lucene search

GitHub_MCVELIST:CVE-2023-25570

HistoryFeb 20, 2023 - 3:22 p.m.

CVE-2023-25570 Apollo has potential access control security issue in eureka

2023-02-2015:22:03

CWE-306

GitHub_M

www.cve.org

cve-2023-25570

access control

security issue

eureka

apollo-configservice

apollo-adminservice

authentication

version 2.1.0

malicious hackers

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.9%

JSON

Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.

CNA Affected

[
  {
    "vendor": "apolloconfig",
    "product": "apollo",
    "versions": [
      {
        "version": "< 2.1.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/apolloconfig/apollo/commit/7df79bf8df6960433ed4ff782a54e3dfc74632bd

github.com/apolloconfig/apollo/pull/4663

github.com/apolloconfig/apollo/releases/tag/v2.1.0

github.com/apolloconfig/apollo/security/advisories/GHSA-368x-wmmg-hq5c

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.9%

JSON

Related for CVELIST:CVE-2023-25570