Apollo has potential access control security issue in eureka
CVE-2023-25570

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
20 February 2023

What is CVE-2023-25570?

Apollo, a popular configuration management system, presents security vulnerabilities if users expose the apollo-configservice to the public internet. Prior to version 2.1.0, the integrated eureka service lacks authentication, allowing potential attackers to access it directly. This could lead to unauthorized manipulation of the apollo-configservice and apollo-adminservice. Version 2.1.0 introduces a login authentication feature for eureka to mitigate this risk. To enhance security, it is advisable to avoid internet exposure of the configuration service until the latest version is implemented.

Affected Version(s)

apollo < 2.1.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.