cbcvebase.
CVE-2021-29442
published 2021-04-27

CVE-2021-29442: Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
64.70%
99.1th percentile
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Affected

1 ranges
VendorProductVersion rangeFixed in
alibabanacos< 1.4.11.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st
path/nacos/v1/cs/ops/derby
path/nacos/v1/cs/ops/data/remove
  • Detect unauthenticated GET requests to the Nacos Derby SQL endpoint; no authentication headers required by the server indicates exploitation attempt
  • This vulnerability only affects Nacos instances using embedded Derby storage; installations using external storage (e.g. MySQL) are not affected
  • Probe SQL injection via the `sql` query parameter on the /derby endpoint to enumerate internal Nacos/Derby system tables (sys.systables)
  • ·Vulnerability only present in Nacos versions before 1.4.1; upgrade to 1.4.1+ remediates the issue
  • ·Only affects deployments using embedded Derby storage; external storage backends (e.g. MySQL) are not vulnerable

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.