Published: 27/04/2021 Updated: 07/05/2021

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Vulnerable Product	Search on Vulmon	Subscribe to Product

accuknox-policy-temp A community-owned library of Kubernetes System and Network policies AccuKnox Templates overview Please follow the hierarchy while contribution ├── cves │ ├── network │ │ └── cnp-CVE-2009-0932yaml │ ├── system │ │ └── ksp-CVE-2021-29156yaml │ │ └── ksp-CVE-2021-29442yaml ├──

Community curated list of System and Network policy templates for the KubeArmor and Cilium

Policies Libraries A community-owned library of Kubernetes System and Network policies Policy Templates overview Please follow the hierarchy while contribution ├── mitre │ ├── network │ │ └── cnp-firewall-world-blockyaml │ ├── system │ │ └── ksp-postgres-allowyaml │ │ └── ksp-privilage-pod-blockyaml �

CWE-306 https://github.com/alibaba/nacos/issues/4463 https://github.com/alibaba/nacos/pull/4517 https://github.com/advisories/GHSA-36hp-jr8h-556f https://nvd.nist.gov https://github.com/afzalbin64/accuknox-policy-temp https://github.com/kubearmor/policy-templates

CVE-2021-29442

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect