CVE-2021-29442

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-29442

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29442.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-29442

Aliases

Published

2021-04-27T21:15:08Z

Modified

2024-10-12T07:12:31.199226Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

References

Affected packages

Git / github.com/alibaba/nacos

Affected ranges

Type: GIT
Repo: https://github.com/alibaba/nacos
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1d88d5d773c46912957a15cb6e78bd8b01c89fde

Affected versions

0.*

0.2.1

0.2.1-RC1

0.3.0

0.3.0-RC1

0.4.0

0.5.0

0.6.0

0.6.1

0.7.0

0.8.0

0.8.0-SNAPSHOT

0.9.0

1.*

1.0.0

1.0.0-RC1

1.0.0-RC2

1.0.0-RC3

1.0.1

1.1.0

1.1.3

1.1.4

1.2.0

1.2.0-beta.0

1.2.0-beta.1

1.2.1

1.3.0

1.3.0-beta

1.3.1

1.3.1-beta

1.3.2

1.4.0

2.*

2.0.0-ALPHA.2

v0.*

v0.1.0

v0.2.0