Description

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Remediation

References

https://github.com/alibaba/nacos/issues/4463

https://github.com/alibaba/nacos/pull/4517

https://github.com/advisories/GHSA-36hp-jr8h-556f

Related Vulnerabilities

CVE-2021-33561 Vulnerability in maven package com.shopizer:shopizer

CVE-2022-0528 Vulnerability in npm package @uppy/companion

CVE-2022-29078 Vulnerability in npm package ejs

CVE-2022-4772 Vulnerability in maven package com.github.dgarijo:widoco

CVE-2020-29204 Vulnerability in maven package com.xuxueli:xxl-job-admin

Severity

High

Classification

CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Exploit Third Party Advisory Patch