CVE-2020-19676 — Incorrect Access Control in Nacos

Description

Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in. (detail:https://github.com/alibaba/nacos/issues/2284)

How to fix CVE-2020-19676

To remediate CVE-2020-19676, upgrade the affected package to a fixed version below.

—upgrade to 1.2.0 or later

Is CVE-2020-19676 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-19676
WEBgithub.com/alibaba/nacos/issues/1105
WEBgithub.com/alibaba/nacos/issues/2284
WEBgithub.com/alibaba/nacos/releases/tag/1.2.0