Server-Side Request Forgery (SSRF) in com.ctrip.framework.apollo:apollo

GHSA-fvx3-g627-phm2 · CVE-2019-10686

Published Apr 18, 2019 · Modified Feb 16, 2024

Description

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-10686
WEB https://github.com/ctripcorp/apollo/issues/2103
ADVISORY https://github.com/advisories/GHSA-fvx3-g627-phm2
PACKAGE https://github.com/ctripcorp/apollo

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes