Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2020-15170

Published: Sep 10, 2020 | Modified: Nov 18, 2021
CVSS 3.x
7
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-15170
CWEhttps://cwe.mitre.org/data/definitions/NVD-Other.html

apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesnt have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the applications configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Affected Software

Name Vendor Start Version End Version
Apollo Ctrip * 1.7.1 (excluding)

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use