[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-23944: Apache ShenYu (incubating) Improper access control
From: Zhang Yonglun <zhangyonglun () apache ! org>
Date: 2022-01-26 6:29:17
Message-ID: CA+ZBtZ66qeLCWBy0DBUoRngMfP+dWdW6aRrGE6AO9nD51=opZg () mail ! gmail ! com
[Download RAW message or body]
Severity: moderate
Description:
Any user can access /plugin API without authentication. The project
use Shiro to authenticate, but the default WhiteLists are defineded in
application include /plugin path.
So everybody can access /plugin API which will list the details of all
plugins include id, name, config (may include password). We can also
add a new plugin with POST method while using /plugin API.
This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.
Mitigation:
Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch
https://github.com/apache/incubator-shenyu/pull/2462.
--
Zhang Yonglun
Apache ShenYu (Incubating)
Apache ShardingSphere
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic