CVE-2019-10686

Name of the Vulnerable Software and Affected Versions Ctrip Apollo versions through 1.4.0-SNAPSHOT

Description A Server-Side Request Forgery (SSRF) issue was discovered in the API, allowing an attacker to perform an intranet port scan or send a GET request via the "/system-info/health" API endpoint. This is due to the mishandling of the %23 substring.

Recommendations For versions through 1.4.0-SNAPSHOT, as a temporary workaround, consider restricting access to the "/system-info/health" API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.