Apollo ConfigMgr 2.3.0 Fixed Sync Config Permission Bypass
CVE-2024-43397 Published on August 20, 2024
Potential unauthorized access issue in apollo-portal
Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0.
Vulnerability Analysis
CVE-2024-43397 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2024-43397 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2024-43397
Want to know whenever a new CVE is published for Apolloconfig Apollo? stack.watch will email you.
Affected Versions
apolloconfig apollo Version < 2.3.0 is affected by CVE-2024-43397Vulnerable Packages
The following package name and versions may be associated with CVE-2024-43397
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | com.ctrip.framework.apollo:apollo | < 2.3.0 | 2.3.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.