CVE-2020-15170: Improper Input Validation

September 10, 2020 (updated November 18, 2021)

apollo-adminservice does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it does not have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application’s configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

References

nvd.nist.gov/vuln/detail/CVE-2020-15170

Detect and mitigate CVE-2020-15170 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →