If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn’t have built-in access control. Malicious hackers may access apollo-adminservice apis directly to access/edit the application’s configurations.
Access control for admin service was added in #3233 and was released in v1.7.1.
To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Lexu reported the issue and provided the required information to reproduce it.
If you have any questions or comments about this advisory: