com.alibaba.nacos:nacos-common@1.4.0-BETA vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.alibaba.nacos:nacos-common package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Authentication Bypass

com.alibaba.nacos:nacos-common is a service discovery, configuration and service management platform for building cloud native applications.

Affected versions of this package are vulnerable to Authentication Bypass. The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users.

How to fix Authentication Bypass?

Upgrade com.alibaba.nacos:nacos-common to version 1.4.1 or higher.

[,1.4.1)
  • H
Authentication Bypass

com.alibaba.nacos:nacos-common is a service discovery, configuration and service management platform for building cloud native applications.

Affected versions of this package are vulnerable to Authentication Bypass. When configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed.

How to fix Authentication Bypass?

Upgrade com.alibaba.nacos:nacos-common to version 1.4.1 or higher.

[,1.4.1)