Back to KEVs

CVE-2021-29442

Authentication bypass

Basic Information

CVE State
PUBLISHED
Reserved Date
March 30, 2021
Published Date
April 27, 2021
Last Updated
August 03, 2024
Vendor
alibaba
Product
nacos
Description
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
Tags
mysql nuclei_scanner

CVSS Scores

CVSS v3.1

8.6 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

Score
94.00% (Percentile: 99.88%) as of 2025-05-29

Exploit Status

Exploited in the Wild
Yes (2025-05-03 00:00:00 UTC) Source

References

https://github.com/alibaba/nacos/issues/4463 https://github.com/advisories/GHSA-36hp-jr8h-556f https://github.com/alibaba/nacos/pull/4517

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-05-01 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-29442.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel