CVE-2024-43397

Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed	Patch
https://github.com/apolloconfig/apollo/pull/5192	Issue Tracking Patch
https://github.com/apolloconfig/apollo/releases/tag/v2.3.0	Release Notes
https://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apolloconfig:apollo:*:*:*:*:*:*:*:*

History

26 Aug 2024, 18:28

Type	Values Removed	Values Added
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:apolloconfig:apollo::::::::
First Time		Apolloconfig Apolloconfig apollo
References	~~() https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed -~~	() https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed - Patch
References	~~() https://github.com/apolloconfig/apollo/pull/5192 -~~	() https://github.com/apolloconfig/apollo/pull/5192 - Issue Tracking, Patch
References	~~() https://github.com/apolloconfig/apollo/releases/tag/v2.3.0 -~~	() https://github.com/apolloconfig/apollo/releases/tag/v2.3.0 - Release Notes
References	~~() https://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962 -~~	() https://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962 - Vendor Advisory

20 Aug 2024, 15:44

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-20 15:15

Updated : 2024-08-26 18:28

NVD link : CVE-2024-43397

Mitre link : CVE-2024-43397

CVE.ORG link : CVE-2024-43397

JSON object : View

Products Affected

apolloconfig

apollo

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2024-43397", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-08-20T15:15:23.673", "references": [{"url": "https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/apolloconfig/apollo/pull/5192", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/apolloconfig/apollo/releases/tag/v2.3.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0."}, {"lang": "es", "value": "Apollo es un sistema de gesti\u00f3n de configuraci\u00f3n. Existe una vulnerabilidad en la funci\u00f3n de configuraci\u00f3n de sincronizaci\u00f3n que permite a los usuarios crear solicitudes espec\u00edficas para eludir las comprobaciones de permisos. Este exploit les permite modificar un espacio de nombres sin los permisos necesarios. El problema se solucion\u00f3 con una verificaci\u00f3n de par\u00e1metros de entrada que se lanz\u00f3 en la versi\u00f3n 2.3.0."}], "lastModified": "2024-08-26T18:28:42.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apolloconfig:apollo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E006ED33-D024-4D31-BCE6-E2F8121739D6", "versionEndExcluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}