oss-sec mailing list archives
CVE-2022-23944: Apache ShenYu (incubating) Improper access control
From: Zhang Yonglun <zhangyonglun () apache org>
Date: Wed, 26 Jan 2022 14:29:17 +0800
Severity: moderate Description: Any user can access /plugin API without authentication. The project use Shiro to authenticate, but the default WhiteLists are defineded in application include /plugin path. So everybody can access /plugin API which will list the details of all plugins include id, name, config (may include password). We can also add a new plugin with POST method while using /plugin API. This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1. Mitigation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch https://github.com/apache/incubator-shenyu/pull/2462. -- Zhang Yonglun Apache ShenYu (Incubating) Apache ShardingSphere
Current thread:
- CVE-2022-23944: Apache ShenYu (incubating) Improper access control Zhang Yonglun (Jan 26)