CVE-2021-29442

HIGH EXPLOITED NUCLEI

Nacos < 1.4.1 - Unauthenticated Database Manipulation via Derby Endpoint

Title source: llm

Exploitation Summary

CVE-2021-29442 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including VictorShem, nanaao. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository claims to be a PoC for CVE-2021-29442 but contains a YAML file for CVE-2024-4577, indicating a mismatch or potential deception. The README lacks technical details and instead provides FOFA/ZoomEye search queries, which is typical of suspicious repos.

Description

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)

Exploits (2)

nomisec SUSPICIOUS 3 stars

by VictorShem · poc

https://github.com/VictorShem/QVD-2024-26473

View Code ZIP pw:eip

The repository claims to be a PoC for CVE-2021-29442 but contains a YAML file for CVE-2024-4577, indicating a mismatch or potential deception. The README lacks technical details and instead provides FOFA/ZoomEye search queries, which is typical of suspicious repos.

Classification

Suspicious 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: XAMPP (PHP CGI)

No auth needed

Prerequisites: XAMPP server with vulnerable PHP CGI configuration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by nanaao · remote

https://github.com/nanaao/cve-2021-29442-Nacos-Derby-rce-exp

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-29442, targeting Nacos' Derby database interface to achieve remote command execution via SQL injection and malicious JAR deployment. The exploit automates payload generation, execution, and interactive command handling.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nacos ≤2.4.0-BETA

No auth needed

Prerequisites: Exposed Nacos Derby interface · Network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Nacos <1.4.1 - Authentication Bypass

HIGHby dwisiswant0

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/alibaba/nacos/issues/4463

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/advisories/GHSA-36hp-jr8h-556f

Patch, Third Party Advisory x_refsource_misc

https://github.com/alibaba/nacos/pull/4517

Scores

CVSS v3 8.6

EPSS 0.9365

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

VulnCheck KEV 2023-11-19

CWE

CWE-306

Status published

Products (2)

alibaba/nacos < 1.4.1

com.alibaba.nacos/nacos-common 0 - 1.4.1Maven

Published Apr 27, 2021

Tracked Since Feb 18, 2026