CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20002 – GMOD Apollo Generation of Error Message Containing Sensitive Information
https://notcve.org/view.php?id=CVE-2025-20002
05 Mar 2025 — After attempting to upload a file that does not meet prerequisites, GMOD Apollo will respond with local path information disclosure • https://github.com/GMOD/Apollo • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24924 – GMOD Apollo Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2025-24924
05 Mar 2025 — Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username • https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23410 – GMOD Apollo Relative Path Traversal
https://notcve.org/view.php?id=CVE-2025-23410
04 Mar 2025 — When uploading organism or sequence data via the web interface, GMOD Apollo will unzip and inspect the files and will not check for path traversal in supported archive types. • https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07 • CWE-23: Relative Path Traversal •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21092 – GMOD Apollo Incorrect Privilege Assignment
https://notcve.org/view.php?id=CVE-2025-21092
04 Mar 2025 — GMOD Apollo does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others. • https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07 • CWE-266: Incorrect Privilege Assignment •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43397 – Potential unauthorized access issue in apollo-portal
https://notcve.org/view.php?id=CVE-2024-43397
20 Aug 2024 — Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0. • https://github.com/apolloconfig/apollo/commit/f55b419145bf9d4f2f51dd4cd45108229e8d97ed • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-4962 – Apollo Configuration Center users improper authorization
https://notcve.org/view.php?id=CVE-2022-4962
12 Jan 2024 — A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /users of the component Configuration Center. The manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/apolloconfig/apollo/issues/4684 • CWE-285: Improper Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25570 – Apollo has potential access control security issue in eureka
https://notcve.org/view.php?id=CVE-2023-25570
20 Feb 2023 — Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. • https://github.com/apolloconfig/apollo/commit/7df79bf8df6960433ed4ff782a54e3dfc74632bd • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25569 – apollo-portal has potential CSRF issue
https://notcve.org/view.php?id=CVE-2023-25569
20 Feb 2023 — Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages. • https://github.com/apolloconfig/apollo/commit/00d968a7229f809b0d8ed0532e8c01a6c2b7c750 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-10043 – abreen Apollo path traversal
https://notcve.org/view.php?id=CVE-2015-10043
14 Jan 2023 — A vulnerability, which was classified as critical, was found in abreen Apollo. This affects an unknown part. The manipulation of the argument file leads to path traversal. The patch is named 6206406630780bbd074aff34f4683fb764faba71. It is recommended to apply a patch to fix this issue. • https://github.com/abreen/Apollo/commit/6206406630780bbd074aff34f4683fb764faba71 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15170 – Missing access control in apollo-adminservice
https://notcve.org/view.php?id=CVE-2020-15170
10 Sep 2020 — apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice... • https://github.com/ctripcorp/apollo/pull/3233/commits/ae9ba6cfd32ed80469f162e5e3583e2477862ddf • CWE-20: Improper Input Validation •