CVE-2024-43397

{"id": "CVE-2024-43397", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-08-20T15:15:23.673", "references": [{"url": "https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/apolloconfig/apollo/pull/5192", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/apolloconfig/apollo/releases/tag/v2.3.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/apolloconfig/apollo/security/advisories/GHSA-c6c3-h4f7-3962", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0."}, {"lang": "es", "value": "Apollo es un sistema de gesti\u00f3n de configuraci\u00f3n. Existe una vulnerabilidad en la funci\u00f3n de configuraci\u00f3n de sincronizaci\u00f3n que permite a los usuarios crear solicitudes espec\u00edficas para eludir las comprobaciones de permisos. Este exploit les permite modificar un espacio de nombres sin los permisos necesarios. El problema se solucion\u00f3 con una verificaci\u00f3n de par\u00e1metros de entrada que se lanz\u00f3 en la versi\u00f3n 2.3.0."}], "lastModified": "2024-08-26T18:28:42.230", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apolloconfig:apollo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E006ED33-D024-4D31-BCE6-E2F8121739D6", "versionEndExcluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}