CVE-2023-25570

Apollo has potential access control security issue in eureka

Description

Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.08%
Third-Party Advisory github.com
Affected: apolloconfig apollo
Published at:
Updated at:

References

Link Tags
https://github.com/apolloconfig/apollo/security/advisories/GHSA-368x-wmmg-hq5c third party advisory
https://github.com/apolloconfig/apollo/pull/4663 patch issue tracking
https://github.com/apolloconfig/apollo/commit/7df79bf8df6960433ed4ff782a54e3dfc74632bd patch
https://github.com/apolloconfig/apollo/releases/tag/v2.1.0 release notes

Frequently Asked Questions

What is the severity of CVE-2023-25570?
CVE-2023-25570 has been scored as a high severity vulnerability.
How to fix CVE-2023-25570?
To fix CVE-2023-25570, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-25570 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-25570 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-25570?
CVE-2023-25570 affects apolloconfig apollo.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.