{"api_version":"1","generated_at":"2026-04-22T23:08:49+00:00","cve":"CVE-2020-19676","urls":{"html":"https://cve.report/CVE-2020-19676","api":"https://cve.report/api/cve/CVE-2020-19676.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-19676","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-19676"},"summary":{"title":"CVE-2020-19676","description":"Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in. (detail:https://github.com/alibaba/nacos/issues/2284)","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-09-30 18:15:00","updated_at":"2021-07-21 11:39:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://github.com/alibaba/nacos/issues/2284","name":"https://github.com/alibaba/nacos/issues/2284","refsource":"MISC","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"Incorrect Access Control · Issue #2284 · alibaba/nacos · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-19676","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-19676","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"19676","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"alibaba","cpe5":"nacos","cpe6":"1.1.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"19676","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"alibaba","cpe5":"nacos","cpe6":"1.1.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-19676","qid":"981831","title":"Java (maven) Security Update for com.alibaba.nacos:nacos-common (GHSA-qf76-pr7x-h7r4)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-19676","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in. (detail:https://github.com/alibaba/nacos/issues/2284)"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/alibaba/nacos/issues/2284","refsource":"MISC","name":"https://github.com/alibaba/nacos/issues/2284"}]}},"nvd":{"publishedDate":"2020-09-30 18:15:00","lastModifiedDate":"2021-07-21 11:39:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:alibaba:nacos:1.1.4:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"19676","Ordinal":"181085","Title":"CVE-2020-19676","CVE":"CVE-2020-19676","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"19676","Ordinal":"1","NoteData":"Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in. (detail:https://github.com/alibaba/nacos/issues/2284)","Type":"Description","Title":null},{"CveYear":"2020","CveId":"19676","Ordinal":"2","NoteData":"2020-09-30","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"19676","Ordinal":"3","NoteData":"2020-09-30","Type":"Other","Title":"Modified"}]}}}