Server-Side Request Forgery (SSRF) Affecting com.ctrip.framework.apollo:apollo package, versions [0,1.4.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
12 Sep 2021
18 Apr 2019
How to fix?
com.ctrip.framework.apollo:apollo to version 1.4.0 or higher.
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). The interface
RestTemplate to initiate a request, and there is no restriction on the host entered by the user.
An attacker may use this to do an intranet port scan or raise a
GET request via
/system-info/health because the
%23 substring is mishandled.