CVE-2021-29442
published 2021-04-27CVE-2021-29442: Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
64.70%
99.1th percentile
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alibaba | nacos | < 1.4.1 | 1.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the Nacos Derby SQL endpoint; no authentication headers required by the server indicates exploitation attempt ↗
- →This vulnerability only affects Nacos instances using embedded Derby storage; installations using external storage (e.g. MySQL) are not affected
- →Probe SQL injection via the `sql` query parameter on the /derby endpoint to enumerate internal Nacos/Derby system tables (sys.systables)
- ·Vulnerability only present in Nacos versions before 1.4.1; upgrade to 1.4.1+ remediates the issue ↗
- ·Only affects deployments using embedded Derby storage; external storage backends (e.g. MySQL) are not vulnerable ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authentication bypass for specific endpoint
osv·2021-04-27
CVE-2021-29442 [HIGH] Authentication bypass for specific endpoint
Authentication bypass for specific endpoint
The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) en
GHSA
Authentication bypass for specific endpoint
ghsa·2021-04-27
CVE-2021-29442 [HIGH] CWE-306 Authentication bypass for specific endpoint
Authentication bypass for specific endpoint
The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) en
VulnCheck
alibaba nacos Missing Authentication for Critical Function
vulncheck·2021·CVSS 8.6
CVE-2021-29442 [HIGH] alibaba nacos Missing Authentication for Critical Function
alibaba nacos Missing Authentication for Critical Function
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
Affected: alibaba nacos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitig
No detection rules found.
Nuclei
Nacos <1.4.1 - Authentication Bypass
nuclei·CVSS 7.5
CVE-2021-29442 [HIGH] Nacos <1.4.1 - Authentication Bypass
Nacos <1.4.1 - Authentication Bypass
Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql).
Template:
id: CVE-2021-29442
info:
name: Nacos <1.4.1 - Authentication Bypass
author: dwisiswant0
severity: high
description: |
Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the
No writeups or analysis indexed.
2021-04-27
Published
Exploited in the wild