Authentication Bypass Affecting com.alibaba.nacos:nacos-common Open this link in a new tab package, versions [,1.4.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
28 Apr 2021
27 Apr 2021
How to fix?
com.alibaba.nacos:nacos-common to version 1.4.1 or higher.
com.alibaba.nacos:nacos-common is a service discovery, configuration and service management platform for building cloud native applications.
Affected versions of this package are vulnerable to Authentication Bypass. The
ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the
/data/remove endpoint is properly protected with the
@Secured annotation, the
/derby endpoint is not protected and can be openly accessed by unauthenticated users.