oss-sec mailing list archives

CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration

From: Zhang Yonglun <zhangyonglun () apache org>
Date: Wed, 26 Jan 2022 14:40:38 +0800

Severity: moderate

Description:

Missing  authentication on ShenYu Admin when a gateway registers. So,
if ShenYu Admin is exposed to the internet, it will allow any user to
register as the gateway.
This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

Mitigation:

Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch
https://github.com/apache/incubator-shenyu/pull/2723.


--

Zhang Yonglun
Apache ShenYu (Incubating)
Apache ShardingSphere

Current thread:

CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration Zhang Yonglun (Jan 26)