Nobodyiam

**Name of the Vulnerable Software and Affected Versions** Apollo versions prior to 2.1.0 **Description** A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. The issue is related to the Cookie SameSite strategy, which was set to Lax in version 2.1.0. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, avoid visiting unknown source pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apollo versions prior to 2.1.0 **Description** Apollo is a configuration management system. There are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. **Recommendations** For versions prior to 2.1.0, update to version 2.1.0 or later to enable login authentication for the eureka service. As a temporary workaround, avoid exposing apollo-configservice to the internet to prevent potential security issues.