Vulnerabilites related to apache - shenyu
var-202310-0478
Vulnerability from variot
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202310-0478",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.5.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"cve": "CVE-2023-25753",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 3.9,
"id": "CVE-2023-25753",
"impactScore": 2.5,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2023-25753",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2023-25753",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2023-25753",
"trust": 0.8,
"value": "Medium"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. \n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. \n\nThis issue affects Apache ShenYu: 2.5.1. \n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "VULMON",
"id": "CVE-2023-25753"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-25753",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478",
"trust": 0.8
},
{
"db": "VULMON",
"id": "CVE-2023-25753",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"id": "VAR-202310-0478",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.50793654
},
"last_update_date": "2024-08-14T15:26:23.679000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-918",
"trust": 1.0
},
{
"problemtype": "Server-side request forgery (CWE-918) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-25753"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/918.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-19T00:00:00",
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"date": "2023-12-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"date": "2023-10-19T09:15:08.480000",
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-19T00:00:00",
"db": "VULMON",
"id": "CVE-2023-25753"
},
{
"date": "2023-12-27T06:41:00",
"db": "JVNDB",
"id": "JVNDB-2023-015478"
},
{
"date": "2023-10-25T17:20:20.830000",
"db": "NVD",
"id": "CVE-2023-25753"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0ShenYu\u00a0 Server-side request forgery vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-015478"
}
],
"trust": 0.8
}
}
var-202201-0599
Vulnerability from variot
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a vulnerability in the lack of authentication for critical features.Information may be obtained and information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway.
An access control error vulnerability exists in Apache ShenYu version 2.4.0 and 2.4.1
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0599",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"cve": "CVE-2022-23944",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2022-23944",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-14708",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23944",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-23944",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-23944",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2022-23944",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2022-14708",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2308",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2022-23944",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a vulnerability in the lack of authentication for critical features.Information may be obtained and information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway. \n\r\n\r\nAn access control error vulnerability exists in Apache ShenYu version 2.4.0 and 2.4.1",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23944",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/2",
"trust": 2.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/5",
"trust": 1.7
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/15",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-14708",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-23944",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"id": "VAR-202201-0599",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
}
]
},
"last_update_date": "2024-11-23T22:20:40.953000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-23944",
"trust": 0.8,
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"title": "Patch for Apache ShenYu Access Control Error Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/321656"
},
{
"title": "Apache ShenYu Fixes for access control error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180316"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/xinyisleep/pocscan "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.0
},
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Lack of authentication for critical features (CWE-306) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23944"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/306.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/xinyisleep/pocscan"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"date": "2022-01-25T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"date": "2023-03-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"date": "2022-01-25T13:15:08.183000",
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-25T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"date": "2022-02-01T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23944"
},
{
"date": "2023-03-28T03:11:00",
"db": "JVNDB",
"id": "JVNDB-2022-004181"
},
{
"date": "2022-02-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2308"
},
{
"date": "2024-11-21T06:49:30.207000",
"db": "NVD",
"id": "CVE-2022-23944"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Access Control Error Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-14708"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2308"
}
],
"trust": 0.6
}
}
var-202111-0822
Vulnerability from variot
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202111-0822",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.3.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"cve": "CVE-2021-37580",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-37580",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2021-89682",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-37580",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-37580",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-37580",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-37580",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2021-89682",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202111-1500",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2021-37580",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-37580",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/11/16/1",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2021-89682",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-37580",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"id": "VAR-202111-0822",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
}
]
},
"last_update_date": "2024-08-14T13:53:47.025000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2021-37580",
"trust": 0.8,
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"title": "Patch for Apache ShenYu authorization issue vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/300116"
},
{
"title": "Apache ShenYu Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170134"
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/Liang2580/CVE-2021-37580 "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/fengwenhua/CVE-2021-37580 "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/rabbitsafe/CVE-2021-37580 "
},
{
"title": "westone-CVE-2021-37580-scanner",
"trust": 0.1,
"url": "https://github.com/Osyanina/westone-CVE-2021-37580-scanner "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/Wing-song/CVE-2021-37580 "
},
{
"title": "CVE-2021-37580",
"trust": 0.1,
"url": "https://github.com/ZororoZ/CVE-2021-37580 "
},
{
"title": "langligelang",
"trust": 0.1,
"url": "https://github.com/langligelang/langligelang "
},
{
"title": "db_script_v2",
"trust": 0.1,
"url": "https://github.com/Ilovewomen/db_script_v2 "
},
{
"title": "db_script_v2_2",
"trust": 0.1,
"url": "https://github.com/Ilovewomen/db_script_v2_2 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "Inappropriate authentication (CWE-287) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-37580"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://github.com/liang2580/cve-2021-37580"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"date": "2021-11-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"date": "2022-11-11T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"date": "2021-11-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"date": "2021-11-16T10:15:07.220000",
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-89682"
},
{
"date": "2021-11-17T00:00:00",
"db": "VULMON",
"id": "CVE-2021-37580"
},
{
"date": "2022-11-11T05:28:00",
"db": "JVNDB",
"id": "JVNDB-2021-015197"
},
{
"date": "2021-11-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-1500"
},
{
"date": "2021-11-17T20:17:30.813000",
"db": "NVD",
"id": "CVE-2021-37580"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0ShenYu\u00a0Admin\u00a0 Authentication vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-015197"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-1500"
}
],
"trust": 0.6
}
}
var-202201-0597
Vulnerability from variot
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and reactive API gateway of the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0597",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"cve": "CVE-2021-45029",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-45029",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-08191",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-45029",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-45029",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-45029",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-45029",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2022-08191",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2298",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Apache ShenYu There is a code injection vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and reactive API gateway of the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-45029"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNVD",
"id": "CNVD-2022-08191"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-45029",
"trust": 3.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/1",
"trust": 2.4
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/8",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-08191",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"id": "VAR-202201-0597",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
}
]
},
"last_update_date": "2024-11-23T22:20:41.038000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2021-45029",
"trust": 0.8,
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"title": "Patch for Apache ShenYu Code Injection Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/316976"
},
{
"title": "Apache ShenYu Fixes for code injection vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180027"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-94",
"trust": 1.0
},
{
"problemtype": "Code injection (CWE-94) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-45029"
},
{
"trust": 1.6,
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"date": "2023-03-14T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"date": "2022-01-25T13:15:07.783000",
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-02-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"date": "2023-03-14T08:03:00",
"db": "JVNDB",
"id": "JVNDB-2022-003981"
},
{
"date": "2022-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2298"
},
{
"date": "2024-11-21T06:31:49.763000",
"db": "NVD",
"id": "CVE-2021-45029"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Code Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-08191"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2298"
}
],
"trust": 0.6
}
}
var-202201-0598
Vulnerability from variot
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. ShenYu Admin There is a vulnerability in the lack of authentication for critical features.Information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. An attacker could exploit this vulnerability to cause unauthorized access to system data or functionality
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0598",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"cve": "CVE-2022-23945",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2022-23945",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-18269",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23945",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-23945",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-23945",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-23945",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-18269",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2330",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. ShenYu Admin There is a vulnerability in the lack of authentication for critical features.Information may be tampered with. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. An attacker could exploit this vulnerability to cause unauthorized access to system data or functionality",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23945"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNVD",
"id": "CNVD-2022-18269"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23945",
"trust": 3.8
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/6",
"trust": 2.4
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/3",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-18269",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"id": "VAR-202201-0598",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
}
]
},
"last_update_date": "2024-11-23T22:20:41.013000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-23223",
"trust": 0.8,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"title": "Patch for Apache ShenYu Access Control Error Vulnerability (CNVD-2022-18269)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/324661"
},
{
"title": "Apache ShenYu Fixes for access control error vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180327"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-306",
"trust": 1.0
},
{
"problemtype": "CWE-862",
"trust": 1.0
},
{
"problemtype": "Lack of authentication for critical features (CWE-306) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"trust": 2.4,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23945"
},
{
"trust": 1.6,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"date": "2023-03-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"date": "2022-01-25T13:15:08.233000",
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18269"
},
{
"date": "2023-03-31T09:08:00",
"db": "JVNDB",
"id": "JVNDB-2022-004223"
},
{
"date": "2022-02-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2330"
},
{
"date": "2024-11-21T06:49:30.330000",
"db": "NVD",
"id": "CVE-2022-23945"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ShenYu\u00a0Admin\u00a0 Vulnerability regarding lack of authentication for critical features in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004223"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2330"
}
],
"trust": 0.6
}
}
var-202205-1369
Vulnerability from variot
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation.
A denial of service vulnerability exists in Apache ShenYu, which is caused by not properly handling the input error message
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202205-1369",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.2"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"cve": "CVE-2022-26650",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2022-26650",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-41632",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2022-26650",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-26650",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-41632",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202205-3542",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2022-26650",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. \n\r\n\r\nA denial of service vulnerability exists in Apache ShenYu, which is caused by not properly handling the input error message",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-26650"
},
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
}
],
"trust": 1.53
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-26650",
"trust": 2.3
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/05/17/3",
"trust": 1.7
},
{
"db": "CNVD",
"id": "CNVD-2022-41632",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022051722",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-26650",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"id": "VAR-202205-1369",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
}
]
},
"last_update_date": "2024-11-23T22:04:50.012000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Apache ShenYu Denial of Service Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/334086"
},
{
"title": "Apache ShenYu Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=194105"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-1333",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26650"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-26650/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022051722"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/862.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"date": "2022-05-17T00:00:00",
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"date": "2022-05-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"date": "2022-05-17T08:15:06.423000",
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-41632"
},
{
"date": "2022-05-25T00:00:00",
"db": "VULMON",
"id": "CVE-2022-26650"
},
{
"date": "2023-07-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202205-3542"
},
{
"date": "2024-11-21T06:54:15.510000",
"db": "NVD",
"id": "CVE-2022-26650"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Denial of Service Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-41632"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202205-3542"
}
],
"trust": 0.6
}
}
var-202302-1211
Vulnerability from variot
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . Apache Software Foundation of ShenYu Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202302-1211",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.5.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": "lt",
"trust": 0.6,
"vendor": "apache",
"version": "2.5.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"cve": "CVE-2022-42735",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CNVD-2023-23553",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2022-42735",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-42735",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-42735",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-42735",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2023-23553",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202302-1251",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. \n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. \n\nThis issue affects Apache ShenYu: 2.5.0. \n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . Apache Software Foundation of ShenYu Exists in a permission management vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-42735",
"trust": 3.9
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2023-23553",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-42735",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"id": "VAR-202302-1211",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
}
]
},
"last_update_date": "2024-08-14T14:02:02.948000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Apache ShenYu Authorization Issue Vulnerability (CNVD-2023-23553)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/415776"
},
{
"title": "Apache ShenYu Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=226084"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/Live-Hack-CVE/CVE-2022-42735 "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-269",
"trust": 1.0
},
{
"problemtype": "Improper authority management (CWE-269) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-42735"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-42735/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/269.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2022-42735"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-03-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"date": "2023-02-15T00:00:00",
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"date": "2023-10-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"date": "2023-02-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"date": "2023-02-15T10:15:16.403000",
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-04-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2023-23553"
},
{
"date": "2023-02-16T00:00:00",
"db": "VULMON",
"id": "CVE-2022-42735"
},
{
"date": "2023-10-26T06:07:00",
"db": "JVNDB",
"id": "JVNDB-2022-019571"
},
{
"date": "2023-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202302-1251"
},
{
"date": "2023-11-07T03:53:25.870000",
"db": "NVD",
"id": "CVE-2022-42735"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0ShenYu\u00a0 Vulnerability in privilege management in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-019571"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202302-1251"
}
],
"trust": 0.6
}
}
var-202201-0596
Vulnerability from variot
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Apache ShenYu There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation.
There is an information disclosure vulnerability in Apache ShenYu in versions 2.4.0 and 2.4.1, which originates from errors in the configuration of network systems or products during operation. An attacker could exploit this vulnerability to see the user's password in the HTTP response
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202201-0596",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 2.4,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"cve": "CVE-2022-23223",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2022-23223",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-18268",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-23223",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-23223",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-23223",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-23223",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-18268",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202201-2306",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2022-23223",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Apache ShenYu There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. \n\r\n\r\nThere is an information disclosure vulnerability in Apache ShenYu in versions 2.4.0 and 2.4.1, which originates from errors in the configuration of network systems or products during operation. An attacker could exploit this vulnerability to see the user\u0027s password in the HTTP response",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-23223",
"trust": 3.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/26/4",
"trust": 2.5
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/01/25/7",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-18268",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012522",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-23223",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"id": "VAR-202201-0596",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
}
],
"trust": 1.1079365399999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
}
]
},
"last_update_date": "2024-11-23T22:20:40.983000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "CVE-2022-23223",
"trust": 0.8,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"title": "Patch for Apache ShenYu Information Disclosure Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/324656"
},
{
"title": "Apache ShenYu Repair measures for information disclosure vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=180314"
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/AlphabugX/CVE-2022-23305 "
},
{
"title": "CVE-2022-XXXX",
"trust": 0.1,
"url": "https://github.com/AlphabugX/CVE-2022-RCE "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-522",
"trust": 1.0
},
{
"problemtype": "Inadequate protection of credentials (CWE-522) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23223"
},
{
"trust": 1.7,
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012522"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/522.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/alphabugx/cve-2022-23305"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-10T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"date": "2022-01-25T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"date": "2023-03-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"date": "2022-01-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"date": "2022-01-25T13:15:08.137000",
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-11T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"date": "2023-10-16T00:00:00",
"db": "VULMON",
"id": "CVE-2022-23223"
},
{
"date": "2023-03-28T03:23:00",
"db": "JVNDB",
"id": "JVNDB-2022-004182"
},
{
"date": "2023-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202201-2306"
},
{
"date": "2024-11-21T06:48:13.633000",
"db": "NVD",
"id": "CVE-2022-23223"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Information Disclosure Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-18268"
},
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202201-2306"
}
],
"trust": 0.6
}
}
var-202209-0112
Vulnerability from variot
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. Apache Software Foundation of ShenYu Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202209-0112",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.4.3"
},
{
"model": "shenyu",
"scope": "eq",
"trust": 1.8,
"vendor": "apache",
"version": "2.4.2"
},
{
"model": "shenyu",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "shenyu",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"cve": "CVE-2022-37435",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2022-37435",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-37435",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-37435",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-37435",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202209-020",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. Apache Software Foundation of ShenYu Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "VULMON",
"id": "CVE-2022-37435"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-37435",
"trust": 3.3
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-37435",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"id": "VAR-202209-0112",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.50793654
},
"last_update_date": "2024-08-14T15:16:30.842000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Apache ShenYu Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=207153"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-732",
"trust": 1.0
},
{
"problemtype": "Improper permission assignment for critical resources (CWE-732) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-37435"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-37435/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-01T00:00:00",
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"date": "2023-10-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"date": "2022-09-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"date": "2022-09-01T14:15:10.427000",
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-01T00:00:00",
"db": "VULMON",
"id": "CVE-2022-37435"
},
{
"date": "2023-10-04T08:57:00",
"db": "JVNDB",
"id": "JVNDB-2022-016408"
},
{
"date": "2023-07-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202209-020"
},
{
"date": "2023-08-02T17:20:00.120000",
"db": "NVD",
"id": "CVE-2022-37435"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0Software\u00a0Foundation\u00a0 of \u00a0ShenYu\u00a0 Vulnerability in improper permission assignment for critical resources in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-016408"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202209-020"
}
],
"trust": 0.6
}
}
CVE-2023-25753 (GCVE-0-2023-25753)
Vulnerability from cvelistv5
Published
2023-10-19 08:35
Modified
2024-09-12 20:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Version: 0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:32:11.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:32:03.176770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:32:26.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.1",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "by3"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\u003c/p\u003e\u003cp\u003eOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eThis issue affects Apache ShenYu: 2.5.1.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.6.0 or apply patch\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/4776\"\u003ehttps://github.com/apache/shenyu/pull/4776\u003c/a\u003e\u0026nbsp;.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\n\n"
}
],
"value": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\n\nThis issue affects Apache ShenYu: 2.5.1.\n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:35:31.452Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in Apache ShenYu",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-25753",
"datePublished": "2023-10-19T08:35:24.075Z",
"dateReserved": "2023-02-13T14:14:30.512Z",
"dateUpdated": "2024-09-12T20:32:26.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23944 (GCVE-0-2022-23944)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/5 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/25/15 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Improper access control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23944",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Improper access control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23944",
"datePublished": "2022-01-25T13:00:24",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23223 (GCVE-0-2022-23223)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-03 03:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Summary
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/7 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/4 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-04T08:00:34.196Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Password leakage",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23223",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Password leakage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23223: Password leakage in Apache ShenYu",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"name": "[oss-security] 20220126 CVE-2022-23223: Apache ShenYu (incubating) Password leakage",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23223",
"datePublished": "2022-01-25T13:00:22",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37580 (GCVE-0-2021-37580)
Vulnerability from cvelistv5
Published
2021-11-16 09:35
Modified
2024-08-04 01:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2021/11/16/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu Admin |
Version: Apache ShenYu Admin 2.3.0-2.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.186Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu Admin",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu Admin 2.3.0-2.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was reported by \u4f0d \u96c4"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-16T12:06:06",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin bypass JWT authentication",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37580",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin bypass JWT authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu Admin",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu Admin",
"version_value": "2.3.0-2.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was reported by \u4f0d \u96c4"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-37580",
"datePublished": "2021-11-16T09:35:11",
"dateReserved": "2021-07-27T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37435 (GCVE-0-2022-37435)
Vulnerability from cvelistv5
Published
2022-09-01 14:00
Modified
2024-08-03 10:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Version: Apache ShenYu 2.4.2 and 2.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache ShenYu 2.4.2 and 2.4.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T08:21:45.964Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu Admin Improper Privilege Management",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-37435",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu Admin Improper Privilege Management"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache ShenYu",
"version_value": "2.4.2 and 2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache ShenYu would like to thank Lulu Gu \u003cmiogulugulu@gmail.com\u003e for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu 2.5.0 or apply patch https://github.com/apache/shenyu/pull/3658."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-37435",
"datePublished": "2022-09-01T14:00:14",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26650 (GCVE-0-2022-26650)
Vulnerability from cvelistv5
Published
2022-05-17 08:05
Modified
2024-08-03 05:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Summary
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/05/17/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: unspecified < 2.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:43.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:13:17.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu (incubating) Regular expression denial of service",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-26650",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26650",
"datePublished": "2022-05-17T08:05:10",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:11:43.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42735 (GCVE-0-2022-42735)
Vulnerability from cvelistv5
Published
2023-02-15 09:38
Modified
2025-03-19 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu |
Version: 0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:10:41.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-42735",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T15:27:08.447399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T15:27:12.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache ShenYu",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xxhzz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Apache ShenYu: 2.5.0.\u003c/p\u003e\u003cp\u003eUpgrade to Apache ShenYu 2.5.1 or apply patch \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/shenyu/pull/3958\"\u003ehttps://github.com/apache/shenyu/pull/3958\u003c/a\u003e.\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\n\nThis issue affects Apache ShenYu: 2.5.0.\n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-15T09:38:55.301Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache ShenYu Admin ultra vires",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-42735",
"datePublished": "2023-02-15T09:38:55.301Z",
"dateReserved": "2022-10-10T14:42:39.234Z",
"dateUpdated": "2025-03-19T15:27:12.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45029 (GCVE-0-2021-45029)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-04 04:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/8 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating)",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-45029",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu 2.4.1 Groovy Code Injection \u0026 SpEL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating)",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"name": "[oss-security] 20220125 CVE-2021-45029: Groovy Code Injection \u0026 SpEL Injection in Apache ShenYu 2.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"name": "[oss-security] 20220126 CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-45029",
"datePublished": "2022-01-25T13:00:21",
"dateReserved": "2021-12-13T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23945 (GCVE-0-2022-23945)
Vulnerability from cvelistv5
Published
2022-01-25 13:00
Modified
2024-08-03 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/01/25/6 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2022/01/26/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Version: Apache ShenYu (incubating) < 2.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating) ",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "Apache ShenYu (incubating) ",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T12:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu missing authentication allows gateway registration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-23945",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu missing authentication allows gateway registration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating) ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache ShenYu (incubating) ",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"name": "[oss-security] 20220125 CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"name": "[oss-security] 20220126 CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-23945",
"datePublished": "2022-01-25T13:00:25",
"dateReserved": "2022-01-25T00:00:00",
"dateUpdated": "2024-08-03T03:59:23.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-11-16 10:15
Modified
2024-11-21 06:15
Severity ?
Summary
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2021/11/16/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2021/11/16/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7942402D-AEAF-4F59-BDEB-D61E7016C0AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
},
{
"lang": "es",
"value": "Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticaci\u00f3n. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0"
}
],
"id": "CVE-2021-37580",
"lastModified": "2024-11-21T06:15:27.900",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-16T10:15:07.220",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-25 13:15
Modified
2024-11-21 06:31
Severity ?
Summary
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/25/8 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/26/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/25/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/26/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D62E2029-6764-4E44-8F6B-2C9287AA98E9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Groovy Code Injection \u0026 SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
},
{
"lang": "es",
"value": "Una Inyecci\u00f3n de C\u00f3digo Groovy e Inyecci\u00f3n SpEL que conlleva a una Ejecuci\u00f3n de C\u00f3digo Remota. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1"
}
],
"id": "CVE-2021-45029",
"lastModified": "2024-11-21T06:31:49.763",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-25T13:15:07.783",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-25 13:15
Modified
2024-11-21 06:49
Severity ?
Summary
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/25/6 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/26/3 | Mailing List, Patch, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | Mailing List, Not Applicable, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/25/6 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/26/3 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | Mailing List, Not Applicable, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D62E2029-6764-4E44-8F6B-2C9287AA98E9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
},
{
"lang": "es",
"value": "Una falta de autenticaci\u00f3n en ShenYu Admin cuando es registrado por HTTP. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1"
}
],
"id": "CVE-2022-23945",
"lastModified": "2024-11-21T06:49:30.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-25T13:15:08.233",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Not Applicable",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Not Applicable",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-25 13:15
Modified
2024-11-21 06:48
Severity ?
Summary
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/25/7 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/26/4 | Exploit, Mailing List, Patch, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/25/7 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/26/4 | Exploit, Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D62E2029-6764-4E44-8F6B-2C9287AA98E9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later."
},
{
"lang": "es",
"value": "Una respuesta HTTP revelar\u00e1 la contrase\u00f1a del usuario. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1"
}
],
"id": "CVE-2022-23223",
"lastModified": "2024-11-21T06:48:13.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-25T13:15:08.137",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"source": "security@apache.org",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-17 08:15
Modified
2024-11-21 06:54
Severity ?
Summary
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/05/17/3 | Mailing List, Patch, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/05/17/3 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673 | Mailing List, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D62E2029-6764-4E44-8F6B-2C9287AA98E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6D61F5F8-1314-496B-86DA-BC9652AA9FFF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
},
{
"lang": "es",
"value": "En Apache ShenYui, ShenYu-Bootstrap, El archivo RegexPredicateJudge.java usa Pattern.matches(conditionData.getParamValue(), realData) para realizar juicios, donde ambos par\u00e1metros son controlables por el usuario. Esto puede causar que un atacante pase expresiones regulares y caracteres maliciosos causando un agotamiento de recursos. Este problema afecta a Apache ShenYu (incubando) versiones 2.4.0, 2.4.1 y 2.4.2 y est\u00e1 corregido en versi\u00f3n 2.4.3"
}
],
"id": "CVE-2022-26650",
"lastModified": "2024-11-21T06:54:15.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-17T08:15:06.423",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-15 10:15
Modified
2025-03-19 16:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.
ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.
This issue affects Apache ShenYu: 2.5.0.
Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "82EE7B78-9435-4B5B-99C9-E0413F0F01C3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.\n\n\nShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.\n\nThis issue affects Apache ShenYu: 2.5.0.\n\nUpgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .\n\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de gesti\u00f3n de privilegios inadecuada en Apache Software Foundation Apache ShenYu. ShenYu Admin permite a los administradores de bajo nivel con privilegios crear usuarios con privilegios m\u00e1s altos que los suyos. Este problema afecta a Apache ShenYu: 2.5.0. Actualice a Apache ShenYu 2.5.1 o aplique el parche https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958."
}
],
"id": "CVE-2022-42735",
"lastModified": "2025-03-19T16:15:16.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-15T10:15:16.403",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-01 14:15
Modified
2024-11-21 07:14
Severity ?
Summary
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28 | Mailing List, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28 | Mailing List, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6D61F5F8-1314-496B-86DA-BC9652AA9FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "25DC8E88-0699-483C-B2ED-51118C06D7E6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator\u0027s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3."
},
{
"lang": "es",
"value": "Apache ShenYu Admin presenta permisos no seguros, lo que puede permitir a administradores poco privilegiados modificar las contrase\u00f1as de los administradores muy privilegiados. Este problema afecta a Apache ShenYu versiones 2.4.2 y 2.4.3"
}
],
"id": "CVE-2022-37435",
"lastModified": "2024-11-21T07:14:59.333",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-01T14:15:10.427",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-19 09:15
Modified
2024-11-21 07:50
Severity ?
Summary
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.
Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.
This issue affects Apache ShenYu: 2.5.1.
Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5FF6FCF7-9CEF-4E24-B669-256B1C825361",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nThere exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.\n\nOf particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.\n\nThis issue affects Apache ShenYu: 2.5.1.\n\nUpgrade to Apache ShenYu 2.6.0 or apply patch\u00a0 https://github.com/apache/shenyu/pull/4776 \u00a0.\n\n"
},
{
"lang": "es",
"value": "Existe una vulnerabilidad SSRF (falsificaci\u00f3n de solicitudes del lado del servidor) ubicada en el endpoint /sandbox/proxyGateway. Esta vulnerabilidad nos permite manipular solicitudes arbitrarias y recuperar las respuestas correspondientes ingresando cualquier URL en el par\u00e1metro requestUrl. De particular preocupaci\u00f3n es nuestra capacidad para ejercer control sobre el m\u00e9todo HTTP, las cookies, la direcci\u00f3n IP y los encabezados. Esto efectivamente nos otorga la capacidad de enviar solicitudes HTTP completas a los hosts de nuestra elecci\u00f3n. Este problema afecta a Apache ShenYu: 2.5.1. Actualice a Apache ShenYu 2.6.0 o aplique el parche https://github.com/apache/shenyu/pull/4776"
}
],
"id": "CVE-2023-25753",
"lastModified": "2024-11-21T07:50:04.903",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-19T09:15:08.480",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-25 13:15
Modified
2024-11-21 06:49
Severity ?
Summary
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/25/15 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/25/5 | Mailing List, Third Party Advisory | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/01/26/2 | Mailing List, Patch, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/25/15 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/25/5 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/01/26/2 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D62E2029-6764-4E44-8F6B-2C9287AA98E9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."
},
{
"lang": "es",
"value": "Un usuario puede acceder a /plugin api sin autenticaci\u00f3n. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1"
}
],
"id": "CVE-2022-23944",
"lastModified": "2024-11-21T06:49:30.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-25T13:15:08.183",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}