If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have built-in access control. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations.
Access control for admin service was added in #3233 and was released in v1.7.1.
To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Lexu reported the issue and provided the required information to reproduce it.
If you have any questions or comments about this advisory:
* Open an issue
* Email to one of the active project maintainers
| Score | Percentile |
|---|---|
| 0.28% | 50.73% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.0 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-xpmx-h7xq-xffh ↗ |
| CVE | CVE-2020-15170 ↗ |
| CWE id | Name |
|---|---|
| CWE-20 | Improper Input Validation |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | com.ctrip.framework.apollo:apollo-core | < 1.7.1 | 1.7.1 | — |