Lucene search

GoogleOSV:CVE-2023-25570

HistoryFeb 20, 2023 - 4:15 p.m.

CVE-2023-25570

2023-02-2016:15:10

Google

osv.dev

apollo

configuration management

security issues

exposed service

eureka

authentication

malicious hackers

workaround

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

39.4%

JSON

Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.

References

github.com/apolloconfig/apollo/commit/7df79bf8df6960433ed4ff782a54e3dfc74632bd

github.com/apolloconfig/apollo/pull/4663

github.com/apolloconfig/apollo/releases/tag/v2.1.0

github.com/apolloconfig/apollo/security/advisories/GHSA-368x-wmmg-hq5c

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

39.4%

JSON

Related for OSV:CVE-2023-25570