Описание
Potential access control security issue in apollo-adminservice
Impact
If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have built-in access control. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations.
Patches
Access control for admin service was added in #3233 and was released in v1.7.1.
Workarounds
To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Credits
Lexu reported the issue and provided the required information to reproduce it.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email to one of the active project maintainers
Пакеты
com.ctrip.framework.apollo:apollo-core
< 1.7.1
1.7.1
Связанные уязвимости
apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.