Vulnerability Details : CVE-2020-15170
apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.
Vulnerability category: Input validation
Products affected by CVE-2020-15170
- cpe:2.3:a:ctrip:apollo:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15170
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15170
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |
2.2
|
4.7
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |
2.2
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2020-15170
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2020-15170
-
https://github.com/ctripcorp/apollo/pull/3233/commits/ae9ba6cfd32ed80469f162e5e3583e2477862ddf
add access control support for admin service by nobodyiam · Pull Request #3233 · ctripcorp/apollo · GitHubPatch;Third Party Advisory
-
https://github.com/ctripcorp/apollo/security/advisories/GHSA-xpmx-h7xq-xffh
Potential access control security issue in apollo-adminservice · Advisory · ctripcorp/apollo · GitHubThird Party Advisory
Jump to