Lucene search

[email protected]NVD:CVE-2023-25569

HistoryFeb 20, 2023 - 4:15 p.m.

CVE-2023-25569

2023-02-2016:15:10

CWE-352

[email protected]

web.nvd.nist.gov

apollo

configuration management system

vulnerability

low-privileged user

web page

assign roles

cookie samesite strategy

lax

workaround.

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.1%

JSON

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.

Affected configurations

NVD

Node

apolloconfigapolloRange<2.1.0

References

github.com/apolloconfig/apollo/commit/00d968a7229f809b0d8ed0532e8c01a6c2b7c750

github.com/apolloconfig/apollo/pull/4664

github.com/apolloconfig/apollo/releases/tag/v2.1.0

github.com/apolloconfig/apollo/security/advisories/GHSA-fmxq-v8mg-qh25

www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

26.1%

JSON

Related for NVD:CVE-2023-25569

osv2 prion1 cve1 github1 cvelist1