CVE-2021-29442

Authentication bypass

CVSS 8.6 HIGHEPSS 64.7%CWE-306

In short

Nacos before version 1.4.1 allows unauthenticated users to access the /derby endpoint and perform dangerous database operations like querying or wiping out the embedded database. This bypasses authentication controls that protect similar endpoints.

Technical detail

Authentication bypass in Nacos ConfigOpsController where the /derby endpoint lacks @Secured annotation, allowing unauthenticated access to database management operations on embedded Derby storage. The /data/remove endpoint implements proper authentication while /derby does not, creating an inconsistent security posture. Impact is limited to deployments using embedded storage rather than external databases.

Summary generated and translated by AI from the official description.

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products

alibaba · nacos

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/advisories/GHSA-36hp-jr8h-556f https://github.com/alibaba/nacos/issues/4463 https://github.com/alibaba/nacos/pull/4517