Description
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected products
- apolloconfig / apollo< 2.1.0 – < 2.1.0
References
- VENDOR_ADVISORYhttps://github.com/apolloconfig/apollo/security/advisories/GHSA-fmxq-v8mg-qh25
- PATCHhttps://github.com/apolloconfig/apollo/pull/4664
- PATCHhttps://github.com/apolloconfig/apollo/commit/00d968a7229f809b0d8ed0532e8c01a6c2b7c750
- PATCHhttps://github.com/apolloconfig/apollo/releases/tag/v2.1.0
- MISChttps://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related