GoogleOSV:GHSA-368X-WMMG-HQ5CApollo has potential access control security issue in eureka
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
35.9%
Impact
If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .
Patches
Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in v2.1.0.
Workarounds
To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in issue
- Email us at [email protected]
References
github.com/apolloconfig/apollo
github.com/apolloconfig/apollo/commit/7df79bf8df6960433ed4ff782a54e3dfc74632bd
github.com/apolloconfig/apollo/pull/4663
github.com/apolloconfig/apollo/releases/tag/v2.1.0
github.com/apolloconfig/apollo/security/advisories/GHSA-368x-wmmg-hq5c
nvd.nist.gov/vuln/detail/CVE-2023-25570
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
35.9%