9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29441

GHSA ID

GHSA-36hp-jr8h-556f

EPSS Score

0.99887%

CWE

CWE-290

Published

4/27/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29441

CVE-2021-29441:
Authentication Bypass

When configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed.

The following request to the configuration endpoint gets rejected as we are not providing any credentials:

❯ curl -X POST "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld"
{"timestamp":"2020-12-02T14:33:57.154+0000","status":403,"error":"Forbidden","message":"unknown user!","path":"/nacos/v1/cs/configs"}

However the following one gets accepted by using the Nacos-Server user-agent header:

❯ curl -X POST -A Nacos-Server "http://127.0.0.1:8848/nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld"
true

Impact

This issue may allow any user to carry out any administrative tasks on the Nacos server.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29441

GHSA ID

GHSA-36hp-jr8h-556f

EPSS Score

0.99887%

CWE

CWE-290

Published

4/27/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.alibaba.nacos:nacos-common	maven	< 1.4.1	1.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from AuthFilter's handling of the User-Agent header in its doFilter method. When authConfigs.isEnableUserAgentAuthWhite() is true (default), any request with 'Nacos-Server' User-Agent bypasses authentication. This is explicitly shown in the code snippet from the GitHub issue where the filter skips security checks for these requests. The function appears in the call stack when processing malicious requests with spoofed headers, making it the primary runtime indicator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n *on*i*ur** to us* *ut**nti**tion (`-*n**os.*or*.*ut*.*n**l**=tru*`) N**os us*s t** `*ut**ilt*r` s*rvl*t *ilt*r to *n*or** *ut**nti**tion. T*is *ilt*r **s * [***k*oor](*ttps://*it*u*.*om/*li****/n**os/*lo*/****************************************

Reasoning

T** vuln*r**ility st*ms *rom `*ut**ilt*r`'s **n*lin* o* t** `Us*r-***nt` *****r in its `*o*ilt*r` m*t*o*. W**n `*ut**on*i*s.is*n**l*Us*r***nt*ut*W*it*()` is tru* (****ult), *ny r*qu*st wit* 'N**os-S*rv*r' `Us*r-***nt` *yp*ss*s *ut**nti**tion. T*is is

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-29441: Authentication Bypass

Impact

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-29441:
Authentication Bypass

Vulnerability Intelligence
Miggo AI