GHSA-fmxq-v8mg-qh25: apollo-portal has potential CSRF issue

Package

maven com.ctrip.framework.apollo:apollo (Maven)

Affected versions

< 2.1.0

Patched versions

2.1.0

Description

Impact

A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin.

Patches

Cookie SameSite strategy was set to Lax in #4664 and was released in v2.1.0.

Workarounds

To fix the potential issue without upgrading, simply follow the advice that does not visit unknown source pages.

References

Apollo Security Guidence

For more information

If you have any questions or comments about this advisory:

• Open an issue in issue
• Email us at [email protected]

References

• GHSA-fmxq-v8mg-qh25
• https://nvd.nist.gov/vuln/detail/CVE-2023-25569
• apolloconfig/apollo#4664
• apolloconfig/apollo@00d968a
• https://github.com/apolloconfig/apollo/releases/tag/v2.1.0
• https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related

nobodyiam published to apolloconfig/apollo

Feb 18, 2023

Published by the National Vulnerability Database

Feb 20, 2023

Published to the GitHub Advisory Database

Feb 22, 2023

Reviewed

Feb 22, 2023

Last updated

Feb 22, 2023