Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-c6c3-h4f7-3962: apollo-portal has potential unauthorized access issue

Impact

A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions.

Patches

The issue was addressed with an input parameter check in #5192, which was released in version 2.3.0.

Workarounds

To mitigate the issue without upgrading, follow the recommended practices to prevent Apollo from being exposed to the internet.

Credits

The vulnerability was reported and reproduced by Lakeswang.

References

For any questions or comments regarding this advisory:

ghsa
#vulnerability#google#git#java#auth#maven

Package

maven com.ctrip.framework.apollo:apollo (Maven)

Affected versions

< 2.3.0

Patched versions

2.3.0

Description

Impact

A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions.

Patches

The issue was addressed with an input parameter check in #5192, which was released in version 2.3.0.

Workarounds

To mitigate the issue without upgrading, follow the recommended practices to prevent Apollo from being exposed to the internet.

Credits

The vulnerability was reported and reproduced by Lakeswang.

References

For any questions or comments regarding this advisory:

References

  • GHSA-c6c3-h4f7-3962
  • https://nvd.nist.gov/vuln/detail/CVE-2024-43397
  • apolloconfig/apollo#5192
  • apolloconfig/apollo@f55b419
  • https://github.com/apolloconfig/apollo/releases/tag/v2.3.0

nobodyiam published to apolloconfig/apollo

Aug 20, 2024

Published by the National Vulnerability Database

Aug 20, 2024

Published to the GitHub Advisory Database

Aug 20, 2024

Reviewed

Aug 20, 2024

Last updated

Aug 20, 2024

ghsa: Latest News

GHSA-vm62-9jw3-c8w3: Gogs has an argument Injection in the built-in SSH server