CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-26650 – Apache ShenYu (incubating) Regular expression denial of service
https://notcve.org/view.php?id=CVE-2022-26650
17 May 2022 — In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. En Apache ShenYui, ShenYu-Bootstrap, El archivo RegexPredicateJudge.java usa Pattern.matches(conditionData.getPara... • http://www.openwall.com/lists/oss-security/2022/05/17/3 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23945 – Apache ShenYu missing authentication allows gateway registration
https://notcve.org/view.php?id=CVE-2022-23945
25 Jan 2022 — Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Una falta de autenticación en ShenYu Admin cuando es registrado por HTTP. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/6 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 59%CPEs: 2EXPL: 0CVE-2022-23944 – Apache ShenYu 2.4.1 Improper access control
https://notcve.org/view.php?id=CVE-2022-23944
25 Jan 2022 — User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Un usuario puede acceder a /plugin api sin autenticación. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/15 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-23223 – Apache ShenYu Password leakage
https://notcve.org/view.php?id=CVE-2022-23223
25 Jan 2022 — On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Una respuesta HTTP revelará la contraseña del usuario. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/7 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45029 – Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
https://notcve.org/view.php?id=CVE-2021-45029
25 Jan 2022 — Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Una Inyección de Código Groovy e Inyección SpEL que conlleva a una Ejecución de Código Remota. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1 • http://www.openwall.com/lists/oss-security/2022/01/25/8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 74%CPEs: 2EXPL: 7CVE-2021-37580 – Apache ShenYu Admin bypass JWT authentication
https://notcve.org/view.php?id=CVE-2021-37580
16 Nov 2021 — A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0 Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticación. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0 • https://github.com/fengwenhua/CVE-2021-37580 • CWE-287: Improper Authentication •