Vulnerabilites related to Apache Software Foundation - Apache ShenYu
CVE-2023-25753 (GCVE-0-2023-25753)
Vulnerability from cvelistv5
Published
2023-10-19 08:35
Modified
2024-09-12 20:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Version: 0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:32:03.176770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:32:26.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.1",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "by3"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\u003c/p\u003e\u003cp\u003eOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eThis issue affects Apache ShenYu: 2.5.1.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.6.0 or apply patch\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/4776\"\u003ehttps://github.com/apache/shenyu/pull/4776\u003c/a\u003e\u0026nbsp;.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n"
}
],
"value": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\n\nThis issue affects Apache ShenYu: 2.5.1.\n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:35:31.452Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in Apache ShenYu",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25753",
"datePublished": "2023-10-19T08:35:24.075Z",
"dateReserved": "2023-02-13T14:14:30.512Z",
"dateUpdated": "2024-09-12T20:32:26.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37435 (GCVE-0-2022-37435)
Vulnerability from cvelistv5
Published
2022-09-01 14:00
Modified
2024-08-03 10:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Version: Apache ShenYu 2.4.2 and 2.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu 2.4.2 and 2.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T08:21:45.964Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin Improper Privilege Management",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-37435",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin Improper Privilege Management"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu",
"version_value": "2.4.2 and 2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-37435",
"datePublished": "2022-09-01T14:00:14",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42735 (GCVE-0-2022-42735)
Vulnerability from cvelistv5
Published
2023-02-15 09:38
Modified
2025-03-19 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Version: 0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:41.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-42735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T15:27:08.447399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:27:12.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xxhzz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Apache ShenYu: 2.5.0.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.5.1 or apply patch \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/3958\"\u003ehttps://github.com/apache/shenyu/pull/3958\u003c/a\u003e.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\n\nThis issue affects Apache ShenYu: 2.5.0.\n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-15T09:38:55.301Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache ShenYu Admin ultra vires",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-42735",
"datePublished": "2023-02-15T09:38:55.301Z",
"dateReserved": "2022-10-10T14:42:39.234Z",
"dateUpdated": "2025-03-19T15:27:12.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}