Maven package
com.ctrip.framework.apollo/apollo
pkg:maven/com.ctrip.framework.apollo/apollo
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-43397 | — | < 2.3.0 | 2.3.0 | Aug 20, 2024 | Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue | ||
| CVE-2023-25570 | — | < 2.1.0 | 2.1.0 | Feb 20, 2023 | Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Mal | ||
| CVE-2023-25569 | — | < 2.1.0 | 2.1.0 | Feb 20, 2023 | Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Po | ||
| CVE-2019-10686 | — | <= 1.3.0 | — | Apr 1, 2019 | An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled. |
- CVE-2024-43397Aug 20, 2024affected < 2.3.0fixed 2.3.0
Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue
- CVE-2023-25570Feb 20, 2023affected < 2.1.0fixed 2.1.0
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Mal
- CVE-2023-25569Feb 20, 2023affected < 2.1.0fixed 2.1.0
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Po
- CVE-2019-10686Apr 1, 2019affected <= 1.3.0
An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled.