CVE-2021-29441
Authentication bypass
Description
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
In plain language
AI Act nowCVE-2021-29441 is an authentication bypass in Nacos (before 1.4.1) that lets an attacker perform admin actions without logging in by spoofing a web browser header; if you run Nacos in a way that enables its authentication filter, you should treat this as a serious risk.
Unauthenticated authentication-bypass in Nacos before 1.4.1 via the authentication filter backdoor that skips authentication checks when the attacker spoofs the HTTP user-agent header; NACOS config precondition is `nacos.core.auth.enabled=true`.
What to do now
- Check whether you use Nacos and whether it’s version 1.4.1 or later.
- Verify your Nacos setting:
nacos.core.auth.enabled=true(this is the condition under which the bypass applies). - If you are running a Nacos version before 1.4.1, plan an upgrade to Nacos with
com.alibaba.nacos:nacos-commonfixed at 1.4.1. - Ensure the Nacos service is not exposed to the public internet unless you have a tightly controlled network path.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:CScopeC:HConfidentialityI:NIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsAttack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2021-29441 and every CVE in our database. Create a free account — no credit card required.
Create Free Account