Vulnerabilites related to Apache Software Foundation - Apache ShenYu (incubating)
CVE-2022-26650 (GCVE-0-2022-26650)
Vulnerability from cvelistv5
Published
2022-05-17 08:05
Modified
2024-08-03 05:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Summary
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/05/17/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: unspecified < 2.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:43.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:13:17.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu (incubating) Regular expression denial of service",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-26650",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26650",
"datePublished": "2022-05-17T08:05:10",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:43.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23944 (GCVE-0-2022-23944)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/5 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/25/15 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Improper access control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23944",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Improper access control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23944",
"datePublished": "2022-01-25T13:00:24",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45029 (GCVE-0-2021-45029)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-04 04:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/8 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-45029",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-45029",
"datePublished": "2022-01-25T13:00:21",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23223 (GCVE-0-2022-23223)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-03 03:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Summary
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/7 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/4 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T08:00:34.196Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Password leakage",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23223",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Password leakage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23223",
"datePublished": "2022-01-25T13:00:22",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23945 (GCVE-0-2022-23945)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/6 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu missing authentication allows gateway registration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23945",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu missing authentication allows gateway registration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23945",
"datePublished": "2022-01-25T13:00:25",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}