Nacos <1.4.1 - Authentication Bypass

Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint i...

CVE-2021-29442 Authentication bypass

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly...

GHSA-XV5H-V7JH-P2QH Authentication bypass for specific endpoint

The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. For...

Alibaba nacos 访问控制错误漏洞

nacos is a dynamic service discovery, configuration and service management platform for Alibaba in China. The software supports both DNS-based and RPC-based service discovery, and can provide features such as providing real-time health checks and blocking services from sending requests to unhealt...