GHSA-h4pc-58cc-hc95
Apollo ConfigService access key authentication bypass via raw config file appId parsing
Details
### Summary Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint.
### Details Requests under /configfiles/raw/{appId}/{clusterName}/{namespace} were parsed for authentication as appId "raw" instead of the actual path appId. ConfigService used the parsed appId to look up available AccessKey secrets before verifying the request signature.
If no AccessKey is configured for an application literally named "raw", ConfigService may treat the request as having no available secrets and allow it to continue without signature verification, even when AccessKey / management key authentication is enabled for the actual target appId in the path.
### Impact An unauthenticated remote attacker may read raw configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the attacker requests the raw config file endpoint.
### Affected endpoints The primary impact is on ConfigService raw config file reads under /configfiles/raw/{appId}/{clusterName}/{namespace}.
### Status Fixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.
### Related advisory The non-canonical appId matching issue is tracked separately in GHSA-4w3q-qpfq-v992 so each independently fixable vulnerability can receive its own CVE.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for com.ctrip.framework.apollo:apollo (maven). Pin to a known-safe version or switch to an alternative.