Description
Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- apolloconfig / apollo< 2.3.0 – < 2.3.0
References
- VENDOR_ADVISORYhttps://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962
- PATCHhttps://github.com/apolloconfig/apollo/pull/5192
- PATCHhttps://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed
- PATCHhttps://github.com/apolloconfig/apollo/releases/tag/v2.3.0