Lucene search

GoogleOSV:GHSA-2G86-R6W2-WQQR

HistoryJul 06, 2022 - 12:00 a.m.

Use of Hard-coded Credentials in Nacos

2022-07-0600:00:30

Google

osv.dev

hard-coded credentials

nacos 2.0.3

access control vulnerability

malicious user login

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.052

Percentile

93.0%

JSON

An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

References

packetstormsecurity.com/files/171638/Nacos-2.0.3-Access-Control.html

github.com/alibaba/nacos

github.com/alibaba/nacos/issues/7127

github.com/alibaba/nacos/issues/7182

nvd.nist.gov/vuln/detail/CVE-2021-43116

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.052

Percentile

93.0%

JSON

Related for OSV:GHSA-2G86-R6W2-WQQR