[MAVEN:GHSA-368X-WMMG-HQ5C] Apollo has potential access control security issue in eureka
Severity
High
Affected Packages
1
Fixed Packages
1
CVEs
1
Impact
If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice .
Patches
Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in v2.1.0.
Workarounds
To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet.
References
For more information
If you have any questions or comments about this advisory:
* Open an issue in issue
* Email us at apollo-config@googlegroups.com
| Package | Affected Version |
|---|---|
 pkg:maven/com.ctrip.framework.apollo/apollo
|
< 2.1.0 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/com.ctrip.framework.apollo/apollo
|
= 2.1.0 |
- ID
- MAVEN:GHSA-368X-WMMG-HQ5C
- Severity
- high
- URL
- https://github.com/advisories/GHSA-368x-wmmg-hq5c
- Published
-
2023-02-22T21:58:33
(19 months ago) - Modified
-
2023-02-22T21:58:34
(19 months ago) - Rights
- Maven Security Team
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |