CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25753 – Server-Side Request Forgery in Apache ShenYu
https://notcve.org/view.php?id=CVE-2023-25753
19 Oct 2023 — There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.... • https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42735 – Apache ShenYu Admin ultra vires
https://notcve.org/view.php?id=CVE-2022-42735
15 Feb 2023 — Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 . • https://lists.apache.org/thread/2k8764jmckmc19qc8x51nlnngq71pcf7 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-37435 – Apache ShenYu Admin Improper Privilege Management
https://notcve.org/view.php?id=CVE-2022-37435
01 Sep 2022 — Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. Apache ShenYu Admin presenta permisos no seguros, lo que puede permitir a administradores poco privilegiados modificar las contraseñas de los administradores muy privilegiados. Este problema afecta a Apache ShenYu versiones 2.4.2 y 2.4.3 • https://lists.apache.org/thread/ndblyxr2fdrvjtgbs1bogxgv2cgk7t28 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-26650 – Apache ShenYu (incubating) Regular expression denial of service
https://notcve.org/view.php?id=CVE-2022-26650
17 May 2022 — In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. En Apache ShenYui, ShenYu-Bootstrap, El archivo RegexPredicateJudge.java usa Pattern.matches(conditionData.getPara... • http://www.openwall.com/lists/oss-security/2022/05/17/3 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23945 – Apache ShenYu missing authentication allows gateway registration
https://notcve.org/view.php?id=CVE-2022-23945
25 Jan 2022 — Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Una falta de autenticación en ShenYu Admin cuando es registrado por HTTP. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/6 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 59%CPEs: 2EXPL: 0CVE-2022-23944 – Apache ShenYu 2.4.1 Improper access control
https://notcve.org/view.php?id=CVE-2022-23944
25 Jan 2022 — User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Un usuario puede acceder a /plugin api sin autenticación. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/15 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-23223 – Apache ShenYu Password leakage
https://notcve.org/view.php?id=CVE-2022-23223
25 Jan 2022 — On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Una respuesta HTTP revelará la contraseña del usuario. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/7 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45029 – Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
https://notcve.org/view.php?id=CVE-2021-45029
25 Jan 2022 — Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Una Inyección de Código Groovy e Inyección SpEL que conlleva a una Ejecución de Código Remota. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 74%CPEs: 2EXPL: 7CVE-2021-37580 – Apache ShenYu Admin bypass JWT authentication
https://notcve.org/view.php?id=CVE-2021-37580
16 Nov 2021 — A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0 Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticación. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0 • https://github.com/fengwenhua/CVE-2021-37580 • CWE-287: Improper Authentication •