Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for Apache ShenYu (incubating) by Apache Software Foundation

    CVE-2022-26650 (GCVE-0-2022-26650)

    Vulnerability from nvd – Published: 2022-05-17 08:05 – Updated: 2024-08-03 05:11
    VLAI
    Title
    Apache ShenYu (incubating) Regular expression denial of service
    Summary
    In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
    Severity
    No CVSS data available.
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: unspecified , < 2.4.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:11:43.499Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
              },
              {
                "name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "moderate"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333 Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-12T10:13:17.435Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
            },
            {
              "name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu (incubating) Regular expression denial of service",
          "workarounds": [
            {
              "lang": "en",
              "value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-26650",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "moderate"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1333 Inefficient Regular Expression Complexity"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
                },
                {
                  "name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-26650",
        "datePublished": "2022-05-17T08:05:10.000Z",
        "dateReserved": "2022-03-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:11:43.499Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23945 (GCVE-0-2022-23945)

    Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
    VLAI
    Title
    Apache ShenYu missing authentication allows gateway registration
    Summary
    Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
              },
              {
                "name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
              },
              {
                "name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-26T12:06:13.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
            },
            {
              "name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
            },
            {
              "name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu missing authentication allows gateway registration",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23945",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu missing authentication allows gateway registration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23945",
        "datePublished": "2022-01-25T13:00:25.000Z",
        "dateReserved": "2022-01-25T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23944 (GCVE-0-2022-23944)

    Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
    VLAI
    Title
    Apache ShenYu 2.4.1 Improper access control
    Summary
    User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.263Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
              },
              {
                "name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
              },
              {
                "name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
              },
              {
                "name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-26T12:06:15.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
            },
            {
              "name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
            },
            {
              "name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
            },
            {
              "name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu 2.4.1 Improper access control",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23944",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu 2.4.1 Improper access control"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
                },
                {
                  "name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23944",
        "datePublished": "2022-01-25T13:00:24.000Z",
        "dateReserved": "2022-01-25T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.263Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23223 (GCVE-0-2022-23223)

    Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:36
    VLAI
    Title
    Apache ShenYu Password leakage
    Summary
    On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
    Severity
    No CVSS data available.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:36:20.334Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
              },
              {
                "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
              },
              {
                "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-04T08:00:34.196Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
            },
            {
              "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
            },
            {
              "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu Password leakage",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23223",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu Password leakage"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-522 Insufficiently Protected Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23223",
        "datePublished": "2022-01-25T13:00:22.000Z",
        "dateReserved": "2022-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:36:20.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-45029 (GCVE-0-2021-45029)

    Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-04 04:32
    VLAI
    Title
    Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
    Summary
    Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
    Severity
    No CVSS data available.
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.478Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
              },
              {
                "name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
              },
              {
                "name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-26T12:06:11.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
            },
            {
              "name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
            },
            {
              "name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2021-45029",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-45029",
        "datePublished": "2022-01-25T13:00:21.000Z",
        "dateReserved": "2021-12-13T00:00:00.000Z",
        "dateUpdated": "2024-08-04T04:32:13.478Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-26650 (GCVE-0-2022-26650)

    Vulnerability from cvelistv5 – Published: 2022-05-17 08:05 – Updated: 2024-08-03 05:11
    VLAI
    Title
    Apache ShenYu (incubating) Regular expression denial of service
    Summary
    In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
    Severity
    No CVSS data available.
    CWE
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: unspecified , < 2.4.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:11:43.499Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
              },
              {
                "name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "other": "moderate"
                },
                "type": "unknown"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333 Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-12T10:13:17.435Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
            },
            {
              "name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu (incubating) Regular expression denial of service",
          "workarounds": [
            {
              "lang": "en",
              "value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-26650",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "2.4.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {
                "other": "moderate"
              }
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-1333 Inefficient Regular Expression Complexity"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
                },
                {
                  "name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-26650",
        "datePublished": "2022-05-17T08:05:10.000Z",
        "dateReserved": "2022-03-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:11:43.499Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23945 (GCVE-0-2022-23945)

    Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
    VLAI
    Title
    Apache ShenYu missing authentication allows gateway registration
    Summary
    Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.281Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
              },
              {
                "name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
              },
              {
                "name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-26T12:06:13.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
            },
            {
              "name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
            },
            {
              "name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu missing authentication allows gateway registration",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23945",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu missing authentication allows gateway registration"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23945",
        "datePublished": "2022-01-25T13:00:25.000Z",
        "dateReserved": "2022-01-25T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23944 (GCVE-0-2022-23944)

    Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
    VLAI
    Title
    Apache ShenYu 2.4.1 Improper access control
    Summary
    User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.263Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
              },
              {
                "name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
              },
              {
                "name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
              },
              {
                "name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-26T12:06:15.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
            },
            {
              "name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
            },
            {
              "name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
            },
            {
              "name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu 2.4.1 Improper access control",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23944",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu 2.4.1 Improper access control"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
                },
                {
                  "name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23944",
        "datePublished": "2022-01-25T13:00:24.000Z",
        "dateReserved": "2022-01-25T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:59:23.263Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23223 (GCVE-0-2022-23223)

    Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:36
    VLAI
    Title
    Apache ShenYu Password leakage
    Summary
    On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
    Severity
    No CVSS data available.
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:36:20.334Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
              },
              {
                "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
              },
              {
                "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-04T08:00:34.196Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
            },
            {
              "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
            },
            {
              "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu Password leakage",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2022-23223",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu Password leakage"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-522 Insufficiently Protected Credentials"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2022-23223",
        "datePublished": "2022-01-25T13:00:22.000Z",
        "dateReserved": "2022-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T03:36:20.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-45029 (GCVE-0-2021-45029)

    Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-04 04:32
    VLAI
    Title
    Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
    Summary
    Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
    Severity
    No CVSS data available.
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache ShenYu (incubating) Affected: Apache ShenYu (incubating) , < 2.4.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:32:13.478Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
              },
              {
                "name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
              },
              {
                "name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Apache ShenYu (incubating)",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "2.4.2",
                  "status": "affected",
                  "version": "Apache ShenYu (incubating)",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-26T12:06:11.000Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
            },
            {
              "name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
            },
            {
              "name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@apache.org",
              "ID": "CVE-2021-45029",
              "STATE": "PUBLIC",
              "TITLE": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Apache ShenYu (incubating)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "Apache ShenYu (incubating)",
                                "version_value": "2.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Apache Software Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": [
              {}
            ],
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639",
                  "refsource": "MISC",
                  "url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
                },
                {
                  "name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
                },
                {
                  "name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2021-45029",
        "datePublished": "2022-01-25T13:00:21.000Z",
        "dateReserved": "2021-12-13T00:00:00.000Z",
        "dateUpdated": "2024-08-04T04:32:13.478Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }