Apollo
CVE-2019-10686
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled.
AnalysisAI
An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled. Affected products include: Ctrip Apollo. Version information: through 1.4.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
A vulnerability was found in Apollo 2.0.0/2.0.1 and classified as problematic. Rated medium severity (CVSS 4.3), this vu
An issue in apollocongif apollo v.2.2.0 allows a remote attacker to obtain sensitive information via a crafted request.
Apollo is a configuration management system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,
apollo-adminservice before version 1.7.1 does not implement access controls. Rated high severity (CVSS 7.0), this vulner
Apollo is a configuration management system. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitabl
Apollo is a configuration management system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitabl
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today