cvelistv5 - CVE-2021-37580

CVE-2021-37580 (GCVE-0-2021-37580)

Vulnerability from cvelistv5

Published

2021-11-16 09:35

Modified

2024-08-04 01:23

Severity ?

CWE

CWE-287 - Improper Authentication

Summary

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

References

URL

	Vendor	Product	Version
	Apache Software Foundation	Apache ShenYu Admin	Version: Apache ShenYu Admin 2.3.0-2.4.0

gsd-2021-37580

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

Aliases

CVE-2021-37580

Aliases

CVE-2021-37580

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-37580",
    "description": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0",
    "id": "GSD-2021-37580"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-37580"
      ],
      "details": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0",
      "id": "GSD-2021-37580",
      "modified": "2023-12-13T01:23:09.975298Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-37580",
        "STATE": "PUBLIC",
        "TITLE": "Apache ShenYu Admin bypass JWT authentication"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache ShenYu Admin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_name": "Apache ShenYu Admin",
                          "version_value": "2.3.0-2.4.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "This issue was reported by \u4f0d \u96c4"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {}
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287 Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
          },
          {
            "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.3.0,2.4.0]",
          "affected_versions": "All versions starting from 2.3.0 up to 2.4.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2021-11-17",
          "description": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in `ShenyuAdminBootstrap` allows an attacker to bypass authentication.",
          "fixed_versions": [
            "2.4.1"
          ],
          "identifier": "CVE-2021-37580",
          "identifiers": [
            "CVE-2021-37580"
          ],
          "not_impacted": "All versions before 2.3.0, all versions after 2.4.0",
          "package_slug": "maven/org.apache.shenyu/shenyu-admin",
          "pubdate": "2021-11-16",
          "solution": "Upgrade to version 2.4.1 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37580",
            "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
            "http://www.openwall.com/lists/oss-security/2021/11/16/1"
          ],
          "uuid": "dabe7212-cd4a-4f17-ba1b-4b162b99ec54"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-37580"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
            },
            {
              "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-17T20:17Z",
      "publishedDate": "2021-11-16T10:15Z"
    }
  }
}

fkie_cve-2021-37580

Vulnerability from fkie_nvd

Published

2021-11-16 10:15

Modified

2024-11-21 06:15

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2021/11/16/1	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/11/16/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	shenyu	2.3.0
	apache	shenyu	2.4.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7942402D-AEAF-4F59-BDEB-D61E7016C0AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticaci\u00f3n. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0"
    }
  ],
  "id": "CVE-2021-37580",
  "lastModified": "2024-11-21T06:15:27.900",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-16T10:15:07.220",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202111-0822",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "shenyu",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "apache",
        "version": "2.3.0"
      },
      {
        "model": "shenyu",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "apache",
        "version": "2.4.0"
      },
      {
        "model": "shenyu",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "cve": "CVE-2021-37580",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2021-37580",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2021-89682",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2021-37580",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2021-37580",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2021-37580",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "NVD",
            "id": "CVE-2021-37580",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-89682",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202111-1500",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-37580",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-37580",
        "trust": 3.9
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2021/11/16/1",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "id": "VAR-202111-0822",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      }
    ],
    "trust": 1.1079365399999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      }
    ]
  },
  "last_update_date": "2024-08-14T13:53:47.025000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "CVE-2021-37580",
        "trust": 0.8,
        "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
      },
      {
        "title": "Patch for Apache ShenYu authorization issue vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/300116"
      },
      {
        "title": "Apache ShenYu Remediation measures for authorization problem vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=170134"
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/Liang2580/CVE-2021-37580 "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/fengwenhua/CVE-2021-37580 "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/rabbitsafe/CVE-2021-37580 "
      },
      {
        "title": "westone-CVE-2021-37580-scanner",
        "trust": 0.1,
        "url": "https://github.com/Osyanina/westone-CVE-2021-37580-scanner "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/Wing-song/CVE-2021-37580 "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/ZororoZ/CVE-2021-37580 "
      },
      {
        "title": "langligelang",
        "trust": 0.1,
        "url": "https://github.com/langligelang/langligelang "
      },
      {
        "title": "db_script_v2",
        "trust": 0.1,
        "url": "https://github.com/Ilovewomen/db_script_v2 "
      },
      {
        "title": "db_script_v2_2",
        "trust": 0.1,
        "url": "https://github.com/Ilovewomen/db_script_v2_2 "
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-287",
        "trust": 1.0
      },
      {
        "problemtype": "Inappropriate authentication (CWE-287) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37580"
      },
      {
        "trust": 1.7,
        "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
      },
      {
        "trust": 1.7,
        "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/287.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/liang2580/cve-2021-37580"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-11-22T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "date": "2021-11-16T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "date": "2022-11-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "date": "2021-11-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      },
      {
        "date": "2021-11-16T10:15:07.220000",
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-11-22T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "date": "2021-11-17T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "date": "2022-11-11T05:28:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "date": "2021-11-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      },
      {
        "date": "2021-11-17T20:17:30.813000",
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache\u00a0ShenYu\u00a0Admin\u00a0 Authentication vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "authorization issue",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ],
    "trust": 0.6
  }
}

ghsa-vpfp-5gwq-g533

Vulnerability from github

Published

2021-11-17 23:15

Modified

2023-09-05 22:18

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Improper Authentication in Apache ShenYu Admin

Details

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shenyu:shenyu-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T22:31:03Z",
    "nvd_published_at": "2021-11-16T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0.",
  "id": "GHSA-vpfp-5gwq-g533",
  "modified": "2023-09-05T22:18:19Z",
  "published": "2021-11-17T23:15:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/shenyu/commit/f78adb26926ba53b4ec5c21f2cf7e931461d601d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/shenyu"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/shenyu/releases/tag/v2.4.1"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authentication in Apache ShenYu Admin"
}

cnvd-2021-89682

Vulnerability from cnvd

Title

Apache ShenYu授权问题漏洞

Description

Apache ShenYu是美国阿帕奇（Apache）基金会的一个异步的，高性能的，跨语言的，响应式的API网关。 Apache ShenYu Admin存在授权问题漏洞，该漏洞源于ShenyuAdminBootstrap中JWT的错误使用允许攻击者绕过身份验证。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Apache ShenYu授权问题漏洞的补丁

Patch Description

Apache ShenYu是美国阿帕奇（Apache）基金会的一个异步的，高性能的，跨语言的，响应式的API网关。 Apache ShenYu Admin存在授权问题漏洞，该漏洞源于ShenyuAdminBootstrap中JWT的错误使用允许攻击者绕过身份验证。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-37580

Impacted products

Name
['Apache shenyu 2.3.0', 'Apache shenyu 2.4.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-37580"
    }
  },
  "description": "Apache ShenYu\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f02\u6b65\u7684\uff0c\u9ad8\u6027\u80fd\u7684\uff0c\u8de8\u8bed\u8a00\u7684\uff0c\u54cd\u5e94\u5f0f\u7684API\u7f51\u5173\u3002\n\nApache ShenYu Admin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShenyuAdminBootstrap\u4e2dJWT\u7684\u9519\u8bef\u4f7f\u7528\u5141\u8bb8\u653b\u51fb\u8005\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-89682",
  "openTime": "2021-11-22",
  "patchDescription": "Apache ShenYu\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f02\u6b65\u7684\uff0c\u9ad8\u6027\u80fd\u7684\uff0c\u8de8\u8bed\u8a00\u7684\uff0c\u54cd\u5e94\u5f0f\u7684API\u7f51\u5173\u3002\r\n\r\nApache ShenYu Admin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShenyuAdminBootstrap\u4e2dJWT\u7684\u9519\u8bef\u4f7f\u7528\u5141\u8bb8\u653b\u51fb\u8005\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache ShenYu\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache shenyu 2.3.0",
      "Apache shenyu 2.4.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-37580",
  "serverity": "\u9ad8",
  "submitTime": "2021-11-17",
  "title": "Apache ShenYu\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2021-37580 (GCVE-0-2021-37580)

Vulnerability from cvelistv5

gsd-2021-37580

Vulnerability from gsd

fkie_cve-2021-37580

Vulnerability from fkie_nvd

var-202111-0822

Vulnerability from variot

ghsa-vpfp-5gwq-g533

Vulnerability from github

cnvd-2021-89682

Vulnerability from cnvd

Tags

Sightings

Nomenclature