CVE-2020-19676: Information Exposure

September 30, 2020 (updated July 21, 2021)

Nacos suffers from a flaw where users can access service details when unauthenticated. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in.

References

github.com/alibaba/nacos/issues/2284
nvd.nist.gov/vuln/detail/CVE-2020-19676

Detect and mitigate CVE-2020-19676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →