Search criteria
27 vulnerabilities found for shenyu by apache
VAR-202302-1211
Vulnerability from variot - Updated: 2025-03-19 23:06Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . Apache Software Foundation of ShenYu Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202302-1211",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.5.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": "lt",
"trust": 0.6,
"vendor": "apache",
"version": "2.5.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"cve": "CVE-2022-42735",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CNVD-2023-23553",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2022-42735",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-42735",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-42735",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"id": "CVE-2022-42735",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-42735",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2023-23553",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202302-1251",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. \n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. \n\nThis issue affects Apache ShenYu: 2.5.0. \n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . Apache Software Foundation of ShenYu Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-42735",
"trust": 3.9
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2023-23553",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-42735",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"id": "VAR-202302-1211",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
}
]
},
"last_update_date": "2025-03-19T23:06:33.704000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Apache ShenYu Authorization Issue Vulnerability (CNVD-2023-23553)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/415776"
},
{
"title": "Apache ShenYu Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=226084"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/Live-Hack-CVE/CVE-2022-42735 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-269",
"trust": 1.0
},
{
"problemtype": "Improper authority management (CWE-269) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42735"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-42735/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/269.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-42735"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-03-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"date": "2023-02-15T00:00:00",
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"date": "2023-10-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"date": "2023-02-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"date": "2023-02-15T10:15:16.403000",
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"date": "2023-02-16T00:00:00",
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"date": "2023-10-26T06:07:00",
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"date": "2023-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"date": "2025-03-19T16:15:16.090000",
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0ShenYu\u00a0 Vulnerability in privilege management in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
}
],
"trust": 0.6
}
}
VAR-202201-0597
Vulnerability from variot - Updated: 2024-11-23 22:20Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and reactive API gateway of the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0597",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"cve": "CVE-2021-45029",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-45029",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-08191",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-45029",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-45029",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-45029",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-45029",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2022-08191",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2298",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and reactive API gateway of the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-45029"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNVD",
"id": "CNVD-2022-08191"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-45029",
"trust": 3.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/1",
"trust": 2.4
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/8",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-08191",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"id": "VAR-202201-0597",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
}
]
},
"last_update_date": "2024-11-23T22:20:41.038000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2021-45029",
"trust": 0.8,
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"title": "Patch for Apache ShenYu Code Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/316976"
},
{
"title": "Apache ShenYu Fixes for code injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-94",
"trust": 1.0
},
{
"problemtype": "Code injection (CWE-94) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-45029"
},
{
"trust": 1.6,
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"date": "2023-03-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"date": "2022-01-25T13:15:07.783000",
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"date": "2023-03-14T08:03:00",
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"date": "2022-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"date": "2024-11-21T06:31:49.763000",
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Code Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
],
"trust": 0.6
}
}
VAR-202201-0598
Vulnerability from variot - Updated: 2024-11-23 22:20Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. ShenYu Admin There is a vulnerability in the lack of authentication for critical features.Information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. An attacker could exploit this vulnerability to cause unauthorized access to system data or functionality
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0598",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"cve": "CVE-2022-23945",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2022-23945",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-18269",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23945",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-23945",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-23945",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-23945",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-18269",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2330",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. ShenYu Admin There is a vulnerability in the lack of authentication for critical features.Information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. An attacker could exploit this vulnerability to cause unauthorized access to system data or functionality",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23945"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNVD",
"id": "CNVD-2022-18269"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23945",
"trust": 3.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/6",
"trust": 2.4
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/3",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-18269",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"id": "VAR-202201-0598",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
}
]
},
"last_update_date": "2024-11-23T22:20:41.013000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-23223",
"trust": 0.8,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"title": "Patch for Apache ShenYu Access Control Error Vulnerability (CNVD-2022-18269)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/324661"
},
{
"title": "Apache ShenYu Fixes for access control error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180327"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.0
},
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Lack of authentication for critical features (CWE-306) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23945"
},
{
"trust": 1.6,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"date": "2023-03-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"date": "2022-01-25T13:15:08.233000",
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"date": "2023-03-31T09:08:00",
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"date": "2022-02-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"date": "2024-11-21T06:49:30.330000",
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ShenYu\u00a0Admin\u00a0 Vulnerability regarding lack of authentication for critical features in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
}
],
"trust": 0.6
}
}
VAR-202201-0596
Vulnerability from variot - Updated: 2024-11-23 22:20On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Apache ShenYu There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation.
There is an information disclosure vulnerability in Apache ShenYu in versions 2.4.0 and 2.4.1, which originates from errors in the configuration of network systems or products during operation. An attacker could exploit this vulnerability to see the user's password in the HTTP response
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0596",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"cve": "CVE-2022-23223",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2022-23223",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-18268",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23223",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-23223",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-23223",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-23223",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-18268",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2306",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2022-23223",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Apache ShenYu There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. \n\r\n\r\nThere is an information disclosure vulnerability in Apache ShenYu in versions 2.4.0 and 2.4.1, which originates from errors in the configuration of network systems or products during operation. An attacker could exploit this vulnerability to see the user\u0027s password in the HTTP response",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23223",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/4",
"trust": 2.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/7",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-18268",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-23223",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"id": "VAR-202201-0596",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
}
]
},
"last_update_date": "2024-11-23T22:20:40.983000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-23223",
"trust": 0.8,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"title": "Patch for Apache ShenYu Information Disclosure Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/324656"
},
{
"title": "Apache ShenYu Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=180314"
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/AlphabugX/CVE-2022-23305 "
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/AlphabugX/CVE-2022-RCE "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Inadequate protection of credentials (CWE-522) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23223"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/522.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-23305"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"date": "2022-01-25T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"date": "2023-03-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"date": "2022-01-25T13:15:08.137000",
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"date": "2023-10-16T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"date": "2023-03-28T03:23:00",
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"date": "2023-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"date": "2024-11-21T06:48:13.633000",
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Information Disclosure Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
],
"trust": 0.6
}
}
VAR-202201-0599
Vulnerability from variot - Updated: 2024-11-23 22:20User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a vulnerability in the lack of authentication for critical features.Information may be obtained and information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway.
An access control error vulnerability exists in Apache ShenYu version 2.4.0 and 2.4.1
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0599",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"cve": "CVE-2022-23944",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2022-23944",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-14708",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23944",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-23944",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-23944",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2022-23944",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2022-14708",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2308",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2022-23944",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a vulnerability in the lack of authentication for critical features.Information may be obtained and information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway. \n\r\n\r\nAn access control error vulnerability exists in Apache ShenYu version 2.4.0 and 2.4.1",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23944",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/2",
"trust": 2.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/5",
"trust": 1.7
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/15",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-14708",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-23944",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"id": "VAR-202201-0599",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
}
]
},
"last_update_date": "2024-11-23T22:20:40.953000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-23944",
"trust": 0.8,
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"title": "Patch for Apache ShenYu Access Control Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/321656"
},
{
"title": "Apache ShenYu Fixes for access control error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180316"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/xinyisleep/pocscan "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.0
},
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Lack of authentication for critical features (CWE-306) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23944"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/xinyisleep/pocscan"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"date": "2022-01-25T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"date": "2023-03-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"date": "2022-01-25T13:15:08.183000",
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-25T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"date": "2022-02-01T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"date": "2023-03-28T03:11:00",
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"date": "2022-02-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"date": "2024-11-21T06:49:30.207000",
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Access Control Error Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
],
"trust": 0.6
}
}
VAR-202205-1369
Vulnerability from variot - Updated: 2024-11-23 22:04In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation.
A denial of service vulnerability exists in Apache ShenYu, which is caused by not properly handling the input error message
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202205-1369",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.2"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"cve": "CVE-2022-26650",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2022-26650",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-41632",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2022-26650",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-26650",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-41632",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202205-3542",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2022-26650",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. \n\r\n\r\nA denial of service vulnerability exists in Apache ShenYu, which is caused by not properly handling the input error message",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-26650"
},
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
}
],
"trust": 1.53
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-26650",
"trust": 2.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/05/17/3",
"trust": 1.7
},
{
"db": "CNVD",
"id": "CNVD-2022-41632",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022051722",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-26650",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"id": "VAR-202205-1369",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
}
]
},
"last_update_date": "2024-11-23T22:04:50.012000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Apache ShenYu Denial of Service Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/334086"
},
{
"title": "Apache ShenYu Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=194105"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-1333",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26650"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-26650/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022051722"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/862.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"date": "2022-05-17T00:00:00",
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"date": "2022-05-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"date": "2022-05-17T08:15:06.423000",
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"date": "2022-05-25T00:00:00",
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"date": "2023-07-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"date": "2024-11-21T06:54:15.510000",
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Denial of Service Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
}
],
"trust": 0.6
}
}
VAR-202310-0478
Vulnerability from variot - Updated: 2024-08-14 15:26There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202310-0478",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.5.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"cve": "CVE-2023-25753",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"id": "CVE-2023-25753",
"impactScore": 2.5,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2023-25753",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2023-25753",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2023-25753",
"trust": 0.8,
"value": "Medium"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. \n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. \n\nThis issue affects Apache ShenYu: 2.5.1. \n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "VULMON",
"id": "CVE-2023-25753"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-25753",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478",
"trust": 0.8
},
{
"db": "VULMON",
"id": "CVE-2023-25753",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"id": "VAR-202310-0478",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.50793654
},
"last_update_date": "2024-08-14T15:26:23.679000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-918",
"trust": 1.0
},
{
"problemtype": "Server-side request forgery (CWE-918) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-25753"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/918.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-19T00:00:00",
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"date": "2023-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"date": "2023-10-19T09:15:08.480000",
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-19T00:00:00",
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"date": "2023-12-27T06:41:00",
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"date": "2023-10-25T17:20:20.830000",
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0ShenYu\u00a0 Server-side request forgery vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
}
],
"trust": 0.8
}
}
VAR-202209-0112
Vulnerability from variot - Updated: 2024-08-14 15:16Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. Apache Software Foundation of ShenYu Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202209-0112",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.4.3"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.4.2"
},
{
"model": "shenyu",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"cve": "CVE-2022-37435",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2022-37435",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-37435",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-37435",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-37435",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202209-020",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. Apache Software Foundation of ShenYu Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "VULMON",
"id": "CVE-2022-37435"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-37435",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-37435",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"id": "VAR-202209-0112",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.50793654
},
"last_update_date": "2024-08-14T15:16:30.842000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache ShenYu Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=207153"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-732",
"trust": 1.0
},
{
"problemtype": "Improper permission assignment for critical resources (CWE-732) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-37435"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-37435/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-01T00:00:00",
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"date": "2023-10-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"date": "2022-09-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"date": "2022-09-01T14:15:10.427000",
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-01T00:00:00",
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"date": "2023-10-04T08:57:00",
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"date": "2023-07-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"date": "2023-08-02T17:20:00.120000",
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0ShenYu\u00a0 Vulnerability in improper permission assignment for critical resources in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
}
],
"trust": 0.6
}
}
VAR-202111-0822
Vulnerability from variot - Updated: 2024-08-14 13:53A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202111-0822",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.3.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"cve": "CVE-2021-37580",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-37580",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-89682",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-37580",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-37580",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-37580",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-37580",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2021-89682",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202111-1500",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2021-37580",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-37580",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/11/16/1",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-89682",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-37580",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"id": "VAR-202111-0822",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
}
]
},
"last_update_date": "2024-08-14T13:53:47.025000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2021-37580",
"trust": 0.8,
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"title": "Patch for Apache ShenYu authorization issue vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/300116"
},
{
"title": "Apache ShenYu Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170134"
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/Liang2580/CVE-2021-37580 "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/fengwenhua/CVE-2021-37580 "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/rabbitsafe/CVE-2021-37580 "
},
{
"title": "westone-CVE-2021-37580-scanner",
"trust": 0.1,
"url": "https://github.com/Osyanina/westone-CVE-2021-37580-scanner "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/Wing-song/CVE-2021-37580 "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/ZororoZ/CVE-2021-37580 "
},
{
"title": "langligelang",
"trust": 0.1,
"url": "https://github.com/langligelang/langligelang "
},
{
"title": "db_script_v2",
"trust": 0.1,
"url": "https://github.com/Ilovewomen/db_script_v2 "
},
{
"title": "db_script_v2_2",
"trust": 0.1,
"url": "https://github.com/Ilovewomen/db_script_v2_2 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "Inappropriate authentication (CWE-287) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-37580"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://github.com/liang2580/cve-2021-37580"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"date": "2021-11-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"date": "2022-11-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"date": "2021-11-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"date": "2021-11-16T10:15:07.220000",
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"date": "2021-11-17T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"date": "2022-11-11T05:28:00",
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"date": "2021-11-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"date": "2021-11-17T20:17:30.813000",
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0ShenYu\u00a0Admin\u00a0 Authentication vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
}
],
"trust": 0.6
}
}
CVE-2023-25753 (GCVE-0-2023-25753)
Vulnerability from nvd – Published: 2023-10-19 08:35 – Updated: 2024-09-12 20:32
VLAI?
Title
Server-Side Request Forgery in Apache ShenYu
Summary
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Affected:
0 , ≤ 2.5.1
(maven)
|
Credits
by3
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:32:03.176770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:32:26.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.1",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "by3"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\u003c/p\u003e\u003cp\u003eOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eThis issue affects Apache ShenYu: 2.5.1.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.6.0 or apply patch\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/4776\"\u003ehttps://github.com/apache/shenyu/pull/4776\u003c/a\u003e\u0026nbsp;.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n"
}
],
"value": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\n\nThis issue affects Apache ShenYu: 2.5.1.\n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:35:31.452Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in Apache ShenYu",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25753",
"datePublished": "2023-10-19T08:35:24.075Z",
"dateReserved": "2023-02-13T14:14:30.512Z",
"dateUpdated": "2024-09-12T20:32:26.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42735 (GCVE-0-2022-42735)
Vulnerability from nvd – Published: 2023-02-15 09:38 – Updated: 2025-03-19 15:27
VLAI?
Title
Apache ShenYu Admin ultra vires
Summary
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Affected:
0 , ≤ 2.5.0
(maven)
|
Credits
xxhzz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:41.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-42735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T15:27:08.447399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:27:12.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xxhzz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Apache ShenYu: 2.5.0.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.5.1 or apply patch \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/3958\"\u003ehttps://github.com/apache/shenyu/pull/3958\u003c/a\u003e.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\n\nThis issue affects Apache ShenYu: 2.5.0.\n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-15T09:38:55.301Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache ShenYu Admin ultra vires",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-42735",
"datePublished": "2023-02-15T09:38:55.301Z",
"dateReserved": "2022-10-10T14:42:39.234Z",
"dateUpdated": "2025-03-19T15:27:12.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37435 (GCVE-0-2022-37435)
Vulnerability from nvd – Published: 2022-09-01 14:00 – Updated: 2024-08-03 10:29
VLAI?
Title
Apache ShenYu Admin Improper Privilege Management
Summary
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
Severity ?
No CVSS data available.
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Affected:
Apache ShenYu 2.4.2 and 2.4.3
|
Credits
Apache ShenYu would like to thank Lulu Gu <miogulugulu@gmail.com> for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu 2.4.2 and 2.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T08:21:45.964Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin Improper Privilege Management",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-37435",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin Improper Privilege Management"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu",
"version_value": "2.4.2 and 2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-37435",
"datePublished": "2022-09-01T14:00:14",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26650 (GCVE-0-2022-26650)
Vulnerability from nvd – Published: 2022-05-17 08:05 – Updated: 2024-08-03 05:11
VLAI?
Title
Apache ShenYu (incubating) Regular expression denial of service
Summary
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
Severity ?
No CVSS data available.
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
unspecified , < 2.4.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:43.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:13:17.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu (incubating) Regular expression denial of service",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-26650",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26650",
"datePublished": "2022-05-17T08:05:10",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:43.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23945 (GCVE-0-2022-23945)
Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
VLAI?
Title
Apache ShenYu missing authentication allows gateway registration
Summary
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu missing authentication allows gateway registration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23945",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu missing authentication allows gateway registration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23945",
"datePublished": "2022-01-25T13:00:25",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23944 (GCVE-0-2022-23944)
Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
VLAI?
Title
Apache ShenYu 2.4.1 Improper access control
Summary
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Improper access control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23944",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Improper access control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23944",
"datePublished": "2022-01-25T13:00:24",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23223 (GCVE-0-2022-23223)
Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:36
VLAI?
Title
Apache ShenYu Password leakage
Summary
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
Severity ?
No CVSS data available.
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T08:00:34.196Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Password leakage",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23223",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Password leakage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23223",
"datePublished": "2022-01-25T13:00:22",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45029 (GCVE-0-2021-45029)
Vulnerability from nvd – Published: 2022-01-25 13:00 – Updated: 2024-08-04 04:32
VLAI?
Title
Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
Summary
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-45029",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-45029",
"datePublished": "2022-01-25T13:00:21",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37580 (GCVE-0-2021-37580)
Vulnerability from nvd – Published: 2021-11-16 09:35 – Updated: 2024-08-04 01:23
VLAI?
Title
Apache ShenYu Admin bypass JWT authentication
Summary
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu Admin |
Affected:
Apache ShenYu Admin 2.3.0-2.4.0
|
Credits
This issue was reported by 伍 雄
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu Admin",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu Admin 2.3.0-2.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was reported by \u4f0d \u96c4"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-16T12:06:06",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin bypass JWT authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37580",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin bypass JWT authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu Admin",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu Admin",
"version_value": "2.3.0-2.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was reported by \u4f0d \u96c4"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-37580",
"datePublished": "2021-11-16T09:35:11",
"dateReserved": "2021-07-27T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25753 (GCVE-0-2023-25753)
Vulnerability from cvelistv5 – Published: 2023-10-19 08:35 – Updated: 2024-09-12 20:32
VLAI?
Title
Server-Side Request Forgery in Apache ShenYu
Summary
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Affected:
0 , ≤ 2.5.1
(maven)
|
Credits
by3
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:32:03.176770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:32:26.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.1",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "by3"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\u003c/p\u003e\u003cp\u003eOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eThis issue affects Apache ShenYu: 2.5.1.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.6.0 or apply patch\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/4776\"\u003ehttps://github.com/apache/shenyu/pull/4776\u003c/a\u003e\u0026nbsp;.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n"
}
],
"value": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\n\nThis issue affects Apache ShenYu: 2.5.1.\n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:35:31.452Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in Apache ShenYu",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25753",
"datePublished": "2023-10-19T08:35:24.075Z",
"dateReserved": "2023-02-13T14:14:30.512Z",
"dateUpdated": "2024-09-12T20:32:26.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42735 (GCVE-0-2022-42735)
Vulnerability from cvelistv5 – Published: 2023-02-15 09:38 – Updated: 2025-03-19 15:27
VLAI?
Title
Apache ShenYu Admin ultra vires
Summary
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Affected:
0 , ≤ 2.5.0
(maven)
|
Credits
xxhzz
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:41.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-42735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T15:27:08.447399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:27:12.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xxhzz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Apache ShenYu: 2.5.0.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.5.1 or apply patch \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/3958\"\u003ehttps://github.com/apache/shenyu/pull/3958\u003c/a\u003e.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\n\nThis issue affects Apache ShenYu: 2.5.0.\n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-15T09:38:55.301Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache ShenYu Admin ultra vires",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-42735",
"datePublished": "2023-02-15T09:38:55.301Z",
"dateReserved": "2022-10-10T14:42:39.234Z",
"dateUpdated": "2025-03-19T15:27:12.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37435 (GCVE-0-2022-37435)
Vulnerability from cvelistv5 – Published: 2022-09-01 14:00 – Updated: 2024-08-03 10:29
VLAI?
Title
Apache ShenYu Admin Improper Privilege Management
Summary
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
Severity ?
No CVSS data available.
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Affected:
Apache ShenYu 2.4.2 and 2.4.3
|
Credits
Apache ShenYu would like to thank Lulu Gu <miogulugulu@gmail.com> for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu 2.4.2 and 2.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T08:21:45.964Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin Improper Privilege Management",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-37435",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin Improper Privilege Management"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu",
"version_value": "2.4.2 and 2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-37435",
"datePublished": "2022-09-01T14:00:14",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26650 (GCVE-0-2022-26650)
Vulnerability from cvelistv5 – Published: 2022-05-17 08:05 – Updated: 2024-08-03 05:11
VLAI?
Title
Apache ShenYu (incubating) Regular expression denial of service
Summary
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
Severity ?
No CVSS data available.
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
unspecified , < 2.4.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:43.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:13:17.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu (incubating) Regular expression denial of service",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-26650",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26650",
"datePublished": "2022-05-17T08:05:10",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:43.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23945 (GCVE-0-2022-23945)
Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
VLAI?
Title
Apache ShenYu missing authentication allows gateway registration
Summary
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu missing authentication allows gateway registration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23945",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu missing authentication allows gateway registration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23945",
"datePublished": "2022-01-25T13:00:25",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23944 (GCVE-0-2022-23944)
Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:59
VLAI?
Title
Apache ShenYu 2.4.1 Improper access control
Summary
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Improper access control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23944",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Improper access control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23944",
"datePublished": "2022-01-25T13:00:24",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23223 (GCVE-0-2022-23223)
Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-03 03:36
VLAI?
Title
Apache ShenYu Password leakage
Summary
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
Severity ?
No CVSS data available.
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T08:00:34.196Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Password leakage",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23223",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Password leakage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23223",
"datePublished": "2022-01-25T13:00:22",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45029 (GCVE-0-2021-45029)
Vulnerability from cvelistv5 – Published: 2022-01-25 13:00 – Updated: 2024-08-04 04:32
VLAI?
Title
Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
Summary
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
Apache ShenYu (incubating) , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-45029",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-45029",
"datePublished": "2022-01-25T13:00:21",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37580 (GCVE-0-2021-37580)
Vulnerability from cvelistv5 – Published: 2021-11-16 09:35 – Updated: 2024-08-04 01:23
VLAI?
Title
Apache ShenYu Admin bypass JWT authentication
Summary
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu Admin |
Affected:
Apache ShenYu Admin 2.3.0-2.4.0
|
Credits
This issue was reported by 伍 雄
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu Admin",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu Admin 2.3.0-2.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was reported by \u4f0d \u96c4"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-16T12:06:06",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin bypass JWT authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37580",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin bypass JWT authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu Admin",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu Admin",
"version_value": "2.3.0-2.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was reported by \u4f0d \u96c4"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-37580",
"datePublished": "2021-11-16T09:35:11",
"dateReserved": "2021-07-27T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}