CVE-2021-43116
published 2022-07-05CVE-2021-43116: An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.55%
91.9th percentile
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alibaba | nacos | <= 2.0.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=<JWT>&username=↗
otherJWT HS256 signed with base64url_decode('SecretKey01234567890123456789012345678901234567890123456789012345678'), sub=nacos↗
- →Detect unauthenticated or forged-JWT GET requests to the Nacos config API endpoint; a non-403 response indicates successful exploitation of CVE-2021-43116. ↗
- →Alert on JWT tokens in Nacos API requests signed with the hardcoded secret 'SecretKey01234567890123456789012345678901234567890123456789012345678' using HS256 algorithm — this is the default/known-weak secret used by the exploit. ↗
- →Monitor for HTTP GET requests to /nacos/v1/cs/configs with an accessToken parameter and an empty username parameter, which is the exploit's fingerprint for bypassing access control. ↗
- →The exploit abuses the login response packet manipulation technique — monitor for abnormal response code changes (e.g., 403→200) on the Nacos login endpoint, which may indicate in-transit packet tampering or proxy-based response modification. ↗
- ·The exploit requires the PyJWT and requests Python libraries to be installed prior to execution, meaning attacker tooling has a known dependency footprint. ↗
- ·The vulnerability affects Nacos versions up to and including 2.0.3; detections should be scoped to this version range. ↗
- ·The exploit supports both HTTP and HTTPS targets; detection rules must cover both schemes on port 8848. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Use of Hard-coded Credentials in Nacos
osv·2022-07-06
CVE-2021-43116 [HIGH] Use of Hard-coded Credentials in Nacos
Use of Hard-coded Credentials in Nacos
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
GHSA
Use of Hard-coded Credentials in Nacos
ghsa·2022-07-06
CVE-2021-43116 [HIGH] CWE-287 Use of Hard-coded Credentials in Nacos
Use of Hard-coded Credentials in Nacos
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171638/Nacos-2.0.3-Access-Control.htmlhttps://github.com/alibaba/nacos/issues/7127https://github.com/alibaba/nacos/issues/7182http://packetstormsecurity.com/files/171638/Nacos-2.0.3-Access-Control.htmlhttps://github.com/alibaba/nacos/issues/7127https://github.com/alibaba/nacos/issues/7182
2022-07-05
Published