
PEACH
Un cadre d’isolation des locataires
CVE-2025-32781 is a missing authorization vulnerability in Apollo Portal that allows authenticated low-privileged users to access configuration data belonging to applications and namespaces they are not authorized to view. The flaw affects all Apollo Portal versions before 2.5.0 (Maven package com.ctrip.framework.apollo:apollo) when the configView.memberOnly.envs setting is enabled. It was reported by researcher @lesignals, fixed via PR #5378 merged on April 11, 2025, and publicly disclosed on July 12–13, 2026. The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, Apollo Advisory).
The root cause is a missing authorization check (CWE-862 / CWE-639) in the ReleaseController.get() method within Apollo Portal's apollo-portal module. The endpoint GET /envs/{env}/releases/{releaseId} retrieves release data by a caller-supplied numeric releaseId without invoking UserPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName), which is the standard permission gate used by other endpoints in the same controller. Because release IDs are sequential integers, an attacker can enumerate or guess valid IDs belonging to other applications and namespaces. The fix (commit 362735d) inserts the missing permission check immediately after confirming the release exists and throws AccessDeniedException if the current user lacks access (Apollo Advisory, Fix Commit).
Successful exploitation allows an authenticated but low-privileged Portal user to read configuration data — including credentials, API keys, database connection strings, and service endpoints — from any application or namespace hosted in the affected environment. The vulnerability is a confidentiality-only issue: it does not permit configuration modification and does not affect system availability. In multi-tenant or enterprise Apollo deployments, this could expose sensitive secrets across organizational boundaries, enabling lateral movement or further attacks against downstream services (GitHub Advisory).
PRO, UAT) where configView.memberOnly.envs is enabled and where sensitive applications reside.GET /envs/{env}/releases/{releaseId} with incrementing releaseId values (e.g., starting from 1 upward).GET /envs/{env}/releases/{releaseId} requests from a single authenticated user session, especially with incrementing integer releaseId values across a short time window.appId values or namespaces they do not own; HTTP 200 responses to /envs/*/releases/* endpoints for applications outside the user's assigned scope.configView.memberOnly.envs).The primary remediation is to upgrade Apollo Portal to version 2.5.0 or later, which includes the missing permission check in ReleaseController.get() (Apollo Release). If an immediate upgrade is not feasible, the Apollo team recommends backporting the four-line permission check from PR #5378 into the affected ReleaseController.java and restricting Apollo Portal access to trusted users only until the fix is deployed (Apollo Advisory). Additionally, auditing Portal user accounts to ensure only necessary personnel have access reduces the attack surface while the patch is pending.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."