Lucene search
GoogleOSV:GHSA-XPMX-H7XQ-XFFHHistoryOct 02, 2020 - 4:33 p.m.
Potential access control security issue in apollo-adminservice
2020-10-0216:33:41
Google
osv.dev
16
access control
apollo-adminservice
security issue
internet exposure
malicious hackers
configuration edits
patch 3233
workaround
lexu
reproduction info
security guidance
project maintainers
EPSS
0.001
Percentile
49.3%
Impact
If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn’t have built-in access control. Malicious hackers may access apollo-adminservice apis directly to access/edit the application’s configurations.
Patches
Access control for admin service was added in #3233 and was released in v1.7.1.
Workarounds
To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Credits
Lexu reported the issue and provided the required information to reproduce it.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email to one of the active project maintainers
Related
cvelist
cvelist
CVE-2020-15170 Missing access control in apollo-adminservice
2020-09-10 18:40:14
gitlab
gitlab
Improper Input Validation
2020-09-10 00:00:00
veracode
veracode
Exposed API
2020-10-05 04:13:32
osv
osv
CVE-2020-15170
2020-09-10 19:15:13
nvd
nvd
CVE-2020-15170
2020-09-10 19:15:13
github
github
Potential access control security issue in apollo-adminservice
2020-10-02 16:33:41
prion
prion
Design/Logic Flaw
2020-09-10 19:15:00
cve
cve
CVE-2020-15170
2020-09-10 19:15:13