oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-23944: Apache ShenYu (incubating) Improper access control

From: Zhang Yonglun <zhangyonglun () apache org>
Date: Wed, 26 Jan 2022 14:29:17 +0800
Severity: moderate

Description:

Any user can access /plugin API without authentication. The project
use Shiro to authenticate, but the default WhiteLists are defineded in
application include /plugin path.
So everybody can access /plugin API which will list the details of all
 plugins include id, name, config (may include password). We can also
add a new plugin with  POST method while using /plugin API.
This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

Mitigation:

Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch
https://github.com/apache/incubator-shenyu/pull/2462.


--

Zhang Yonglun
Apache ShenYu (Incubating)
Apache ShardingSphere
Previous By Date Next
Previous By Thread Next

Current thread: