CVE-2023-25569

Name
CVE-2023-25569
Description
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/apolloconfig/apollo/security/advisories/GHSA-fmxq-v8mg-qh25
MISC https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related
MISC https://github.com/apolloconfig/apollo/releases/tag/v2.1.0
MISC https://github.com/apolloconfig/apollo/pull/4664
MISC https://github.com/apolloconfig/apollo/commit/00d968a7229f809b0d8ed0532e8c01a6c2b7c750

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apolloconfig:apollo:*:*:*:*:*:*:*:* apollo >= None < 2.1.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
apollo edge-community 0.3.1-r5 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.1-r4 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.1-r3 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.1-r2 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.1-r1 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.1-r0 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.0-r3 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.0-r2 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.0-r1 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.3.0-r0 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.2.3-r2 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.2.3-r1 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo edge-community 0.2.3-r0 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo 3.22-community 0.3.0-r7 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo 3.22-community 0.3.0-r6 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo 3.22-community 0.3.0-r5 David Sugar <tychosoft@gmail.com> possibly vulnerable
apollo 3.22-community 0.3.0-r4 David Sugar <tychosoft@gmail.com> possibly vulnerable