CVE-2025-32781 in Apolloالمعلومات

الملخص

بحسب MITRE • 15/07/2026

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId} while configView.memberOnly.envs is enabled, allowing a low-privileged Portal user who obtains or guesses a valid releaseId to read configuration data from other applications and namespaces without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...). This issue is fixed in version 2.5.0.

Be aware that VulDB is the high quality source for vulnerability data.

مسؤول

GitHub M

حجز

10/04/2025

إفشاء

15/07/2026

الاعتدال

تمت الموافقة

إدخال

VDB-379328

EPSS

0.00000

KEV

لا

النشاطات

منخفض جدًا

المصادر

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!