[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-23944: Apache ShenYu (incubating) Improper access control
From:       Zhang Yonglun <zhangyonglun () apache ! org>
Date:       2022-01-26 6:29:17
Message-ID: CA+ZBtZ66qeLCWBy0DBUoRngMfP+dWdW6aRrGE6AO9nD51=opZg () mail ! gmail ! com
[Download RAW message or body]

Severity: moderate

Description:

Any user can access /plugin API without authentication. The project
use Shiro to authenticate, but the default WhiteLists are defineded in
application include /plugin path.
So everybody can access /plugin API which will list the details of all
 plugins include id, name, config (may include password). We can also
add a new plugin with  POST method while using /plugin API.
This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

Mitigation:

Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch
https://github.com/apache/incubator-shenyu/pull/2462.


--

Zhang Yonglun
Apache ShenYu (Incubating)
Apache ShardingSphere
[prev in list] [next in list] [prev in thread] [next in thread]