Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-368x-wmmg-hq5c: Apollo has potential access control security issue in eureka

Impact

If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .

Patches

Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in v2.1.0.

Workarounds

To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.

References

Apollo Security Guidence

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#google#git#java#auth#maven

Package

maven com.ctrip.framework.apollo:apollo (Maven)

Affected versions

< 2.1.0

Patched versions

2.1.0

Description

Impact

If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .

Patches

Login authentication for eureka was added in apolloconfig/apollo#4663 and was released in v2.1.0.

Workarounds

To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.

References

Apollo Security Guidence

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-368x-wmmg-hq5c
  • https://nvd.nist.gov/vuln/detail/CVE-2023-25570
  • apolloconfig/apollo#4663
  • apolloconfig/apollo@7df79bf
  • https://github.com/apolloconfig/apollo/releases/tag/v2.1.0

nobodyiam published to apolloconfig/apollo

Feb 18, 2023

Published by the National Vulnerability Database

Feb 20, 2023

Published to the GitHub Advisory Database

Feb 22, 2023

Reviewed

Feb 22, 2023

Last updated

Feb 22, 2023

Related news

CVE-2023-25570: Release Apollo 2.1.0 Release · apolloconfig/apollo

Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.