CVE-2021-29442

Name of the Vulnerable Software and Affected Versions: Nacos versions prior to 1.4.1

Description: The issue affects Nacos, a platform for dynamic service discovery and configuration and service management. In affected versions, the ConfigOpsController allows users to perform management operations like querying the database or wiping it out. The /derby endpoint is not protected and can be accessed by unauthenticated users, while the /data/remove endpoint is properly protected. This issue only affects installations using embedded storage (derby DB) and not those using external storage (e.g., mysql). Additionally, when configured to use authentication, Nacos has a backdoor that enables servers to bypass authentication checks by spoofing the user-agent HTTP header. This may allow any user to carry out administrative tasks on the Nacos server.

Recommendations: For versions prior to 1.4.1, update to version 1.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /derby endpoint and disabling the use of embedded storage (derby DB) if possible. Additionally, restrict access to the configuration endpoint to minimize the risk of exploitation. Avoid using the Nacos-Server user-agent header to bypass authentication checks.