CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
21.3%
A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions.
The issue was addressed with an input parameter check in #5192, which was released in version 2.3.0.
To mitigate the issue without upgrading, follow the recommended practices to prevent Apollo from being exposed to the internet.
The vulnerability was reported and reproduced by Lakeswang.
For any questions or comments regarding this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
com.ctrip.framework.apollo | apollo | * | cpe:2.3:a:com.ctrip.framework.apollo:apollo:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-c6c3-h4f7-3962
github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed
github.com/apolloconfig/apollo/pull/5192
github.com/apolloconfig/apollo/releases/tag/v2.3.0
github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962
nvd.nist.gov/vuln/detail/CVE-2024-43397
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
21.3%