Apache ShardingSphere security advisories
Security information for Apache ShardingSphere
Reporting
Do you want disclose a potential security issue for Apache ShardingSphere? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Deserialization vulnerability in ShardingSphere Agent
CVE-2023-28754 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-19T07:15:27.885Z
Affected
- ShardingSphere-Agent through 5.3.2
Description
Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows attackers to execute arbitrary code by constructing a special YAML configuration file.
References
Credits
- Liav Gutman of the JFrog CSO Research team (finder)
MySQL authentication bypass
CVE-2022-45347 [CVE] [CVE json] [OSV json]
Last updated: 2023-02-15T02:21:01.314Z
Affected
- Apache ShardingSphere-Proxy before 5.3.0
Description
Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn’t cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.
References
Credits
- smoking (finder)
Apache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBC
CVE-2022-31764 [CVE] [CVE json]
Last updated: 2022-11-01T08:18:58.682Z
Affected
- Apache ShardingSphere ElasticJob-UI from Apache ShardingSphere ElasticJob-UI 3.x through 3.0.1
Description
The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2. The premise of this attack is that the attacker has obtained the account and password. Otherwise, the attacker cannot perform this attack.
Access-Token in ElasticJob UI causes password disclosure
CVE-2022-22733 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-27T12:11:17.849Z
Affected
- Apache ShardingSphere ElasticJob-UI from Apache ShardingSphere ElasticJob-UI 3.x through 3.0.0
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.
References
Deserialization of Untrusted Data
CVE-2021-26558 [CVE] [CVE json] [OSV json]
Last updated: 2021-11-11T09:28:11.863Z
Affected
- Apache ShardingSphere-UI from 4.1.1 before Apache ShardingSphere-UI*
Description
Deserialization of Untrusted Data vulnerability of Apache ShardingSphere-UI allows an attacker to inject outer link resources. This issue affects Apache ShardingSphere-UI Apache ShardingSphere-UI version 4.1.1 and later versions; Apache ShardingSphere-UI versions prior to 5.0.0.