CVE-2020-15170

CVE-2020-15170

Name

CVE-2020-15170

Description

apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://github.com/ctripcorp/apollo/pull/3233/commits/ae9ba6cfd32ed80469f162e5e3583e2477862ddf
Third Party Advisory	https://github.com/ctripcorp/apollo/security/advisories/GHSA-xpmx-h7xq-xffh

Type

URI

Patch

https://github.com/ctripcorp/apollo/pull/3233/commits/ae9ba6cfd32ed80469f162e5e3583e2477862ddf

Third Party Advisory

https://github.com/ctripcorp/apollo/security/advisories/GHSA-xpmx-h7xq-xffh

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ctrip:apollo::::::::`	apollo	>= None	< 1.7.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ctrip:apollo:*:*:*:*:*:*:*:*

apollo

>= None

< 1.7.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
apollo	edge-community	0.3.1-r5	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.1-r4	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.1-r3	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.1-r2	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.1-r1	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.1-r0	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.0-r3	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.0-r2	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.0-r1	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.3.0-r0	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.2.3-r2	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.2.3-r1	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	edge-community	0.2.3-r0	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	3.22-community	0.3.0-r7	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	3.22-community	0.3.0-r6	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	3.22-community	0.3.0-r5	David Sugar <tychosoft@gmail.com>	possibly vulnerable
apollo	3.22-community	0.3.0-r4	David Sugar <tychosoft@gmail.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages