cbcvebase.
CVE-2021-43116
published 2022-07-05

CVE-2021-43116: An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.55%
91.9th percentile
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

Affected

1 ranges
VendorProductVersion rangeFixed in
alibabanacos<= 2.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=<JWT>&username=
otherSecretKey01234567890123456789012345678901234567890123456789012345678
otherJWT HS256 signed with base64url_decode('SecretKey01234567890123456789012345678901234567890123456789012345678'), sub=nacos
port8848
  • Detect unauthenticated or forged-JWT GET requests to the Nacos config API endpoint; a non-403 response indicates successful exploitation of CVE-2021-43116.
  • Alert on JWT tokens in Nacos API requests signed with the hardcoded secret 'SecretKey01234567890123456789012345678901234567890123456789012345678' using HS256 algorithm — this is the default/known-weak secret used by the exploit.
  • Monitor for HTTP GET requests to /nacos/v1/cs/configs with an accessToken parameter and an empty username parameter, which is the exploit's fingerprint for bypassing access control.
  • The exploit abuses the login response packet manipulation technique — monitor for abnormal response code changes (e.g., 403→200) on the Nacos login endpoint, which may indicate in-transit packet tampering or proxy-based response modification.
  • ·The exploit requires the PyJWT and requests Python libraries to be installed prior to execution, meaning attacker tooling has a known dependency footprint.
  • ·The vulnerability affects Nacos versions up to and including 2.0.3; detections should be scoped to this version range.
  • ·The exploit supports both HTTP and HTTPS targets; detection rules must cover both schemes on port 8848.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.