Lucene search

[email protected]NVD:CVE-2023-25570

HistoryFeb 20, 2023 - 4:15 p.m.

CVE-2023-25570

2023-02-2016:15:10

CWE-306

[email protected]

web.nvd.nist.gov

apollo

configuration management

security issues

authentication

eureka

internet exposure

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.9%

JSON

Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.

Affected configurations

NVD

Node

apolloconfigapolloRange<2.1.0

References

github.com/apolloconfig/apollo/commit/7df79bf8df6960433ed4ff782a54e3dfc74632bd

github.com/apolloconfig/apollo/pull/4663

github.com/apolloconfig/apollo/releases/tag/v2.1.0

github.com/apolloconfig/apollo/security/advisories/GHSA-368x-wmmg-hq5c

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

35.9%

JSON

Related for NVD:CVE-2023-25570

cve1 osv2 prion1 cvelist1 github1