CVE-2025-32781
Java Analyse et atténuation des vulnérabilités

Aperçu

CVE-2025-32781 is a missing authorization vulnerability in Apollo Portal that allows authenticated low-privileged users to access configuration data belonging to applications and namespaces they are not authorized to view. The flaw affects all Apollo Portal versions before 2.5.0 (Maven package com.ctrip.framework.apollo:apollo) when the configView.memberOnly.envs setting is enabled. It was reported by researcher @lesignals, fixed via PR #5378 merged on April 11, 2025, and publicly disclosed on July 12–13, 2026. The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, Apollo Advisory).

Détails techniques

The root cause is a missing authorization check (CWE-862 / CWE-639) in the ReleaseController.get() method within Apollo Portal's apollo-portal module. The endpoint GET /envs/{env}/releases/{releaseId} retrieves release data by a caller-supplied numeric releaseId without invoking UserPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName), which is the standard permission gate used by other endpoints in the same controller. Because release IDs are sequential integers, an attacker can enumerate or guess valid IDs belonging to other applications and namespaces. The fix (commit 362735d) inserts the missing permission check immediately after confirming the release exists and throws AccessDeniedException if the current user lacks access (Apollo Advisory, Fix Commit).

Impact

Successful exploitation allows an authenticated but low-privileged Portal user to read configuration data — including credentials, API keys, database connection strings, and service endpoints — from any application or namespace hosted in the affected environment. The vulnerability is a confidentiality-only issue: it does not permit configuration modification and does not affect system availability. In multi-tenant or enterprise Apollo deployments, this could expose sensitive secrets across organizational boundaries, enabling lateral movement or further attacks against downstream services (GitHub Advisory).

Étapes d’exploitation

  1. Authenticate: Log in to the Apollo Portal with any valid low-privileged account (no admin rights required).
  2. Identify target environment: Determine the environment name (e.g., PRO, UAT) where configView.memberOnly.envs is enabled and where sensitive applications reside.
  3. Enumerate release IDs: Since release IDs are sequential integers, iterate over candidate values by sending GET /envs/{env}/releases/{releaseId} with incrementing releaseId values (e.g., starting from 1 upward).
  4. Retrieve unauthorized release data: For each valid release ID belonging to an application or namespace the attacker is not authorized to view, the endpoint returns the full release payload — including all configuration key-value pairs — without performing a permission check.
  5. Extract sensitive values: Parse the returned JSON for credentials, connection strings, API keys, or other sensitive configuration values that can be used for lateral movement or further attacks (Apollo Advisory, Fix Commit).

Indicateurs de compromis

  • Network: Repeated or sequential GET /envs/{env}/releases/{releaseId} requests from a single authenticated user session, especially with incrementing integer releaseId values across a short time window.
  • Logs: Apollo Portal access logs showing a single user account querying release IDs associated with multiple different appId values or namespaces they do not own; HTTP 200 responses to /envs/*/releases/* endpoints for applications outside the user's assigned scope.
  • Behavioral: A low-privileged user account generating an unusually high volume of release retrieval requests compared to normal usage patterns; requests targeting release IDs in environments marked as member-only (configView.memberOnly.envs).

Atténuation et solutions de contournement

The primary remediation is to upgrade Apollo Portal to version 2.5.0 or later, which includes the missing permission check in ReleaseController.get() (Apollo Release). If an immediate upgrade is not feasible, the Apollo team recommends backporting the four-line permission check from PR #5378 into the affected ReleaseController.java and restricting Apollo Portal access to trusted users only until the fix is deployed (Apollo Advisory). Additionally, auditing Portal user accounts to ensure only necessary personnel have access reduces the attack surface while the patch is pending.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Java Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NonOuiJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonNonJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NonOuiJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités