Moderate severityNVD Advisory· Published Aug 20, 2024· Updated Aug 20, 2024

Potential unauthorized access issue in apollo-portal

CVE-2024-43397

Description

Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.ctrip.framework.apollo:apolloMaven	< 2.3.0	2.3.0

Affected products

Apolloconfig/Apollov5
Range: < 2.3.0

Patches

f55b419145bf

add namespaces check in synchronization configuration feature

https://github.com/apolloconfig/apolloJason SongAug 3, 2024via ghsa

commit

2 files changed · +12 −1

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java+1 −1 modified

@@ -195,7 +195,7 @@ public List<ItemDiffs> diff(@RequestBody NamespaceSyncModel model) {
   @PutMapping(value = "/apps/{appId}/namespaces/{namespaceName}/items", consumes = {"application/json"})
   public ResponseEntity<Void> update(@PathVariable String appId, @PathVariable String namespaceName,
                                      @RequestBody NamespaceSyncModel model) {
-    checkModel(!model.isInvalid());
+    checkModel(!model.isInvalid() && model.syncToNamespacesValid(appId, namespaceName));
     boolean hasPermission = permissionValidator.hasModifyNamespacePermission(appId, namespaceName);
     Env envNoPermission = null;
     // if uses has ModifyNamespace permission then he has permission

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/model/NamespaceSyncModel.java+11 −0 modified

@@ -41,6 +41,17 @@ public boolean isInvalid() {
     return false;
   }
 
+  public boolean syncToNamespacesValid(String appId, String namespaceName) {
+    for (NamespaceIdentifier namespaceIdentifier : syncToNamespaces) {
+      if (appId.equals(namespaceIdentifier.getAppId()) && namespaceName.equals(
+          namespaceIdentifier.getNamespaceName())) {
+        continue;
+      }
+      return false;
+    }
+    return true;
+  }
+
   public List<NamespaceIdentifier> getSyncToNamespaces() {
     return syncToNamespaces;
   }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c6c3-h4f7-3962ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-43397ghsaADVISORY
github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97edghsax_refsource_MISCWEB
github.com/apolloconfig/apollo/pull/5192ghsax_refsource_MISCWEB
github.com/apolloconfig/apollo/releases/tag/v2.3.0ghsax_refsource_MISCWEB
github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000