Apache ShenYu security advisories

Security information for Apache ShenYu

Reporting

Do you want disclose a potential security issue for Apache ShenYu? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Server-Side Request Forgery in Apache ShenYu

CVE-2023-25753 [CVE] [CVE json] [OSV json]

Last updated: 2023-10-19T08:35:28.691Z

Affected

  • Apache ShenYu through 2.5.1

Description

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.

Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.

This issue affects Apache ShenYu: 2.5.1.

Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .

References

Credits

  • by3 (finder)

Apache ShenYu Admin ultra vires

CVE-2022-42735 [CVE] [CVE json] [OSV json]

Last updated: 2023-02-15T09:38:50.099Z

Affected

  • Apache ShenYu through 2.5.0

Description

Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu.

ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own.

This issue affects Apache ShenYu: 2.5.0.

Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958.

References

Credits

  • xxhzz (finder)

Apache ShenYu Admin Improper Privilege Management

CVE-2022-37435 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-01T13:57:00.985Z

Affected

  • Apache ShenYu at 2.4.2 and 2.4.3

Description

Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator’s passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.

References

Credits

Apache ShenYu (incubating) Regular expression denial of service

CVE-2022-26650 [CVE] [CVE json]

Last updated: 2022-06-18T12:30:20.191Z

Affected

  • Apache ShenYu (incubating) from unspecified before 2.4.3

Description

In ShenYu-Bootstrap there’s RegexPredicateJudge.java which uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2.

Credits

  • Apache ShenYu would like to thank Lai Han of NSFOCUS security team laihan4396@gmail.com for reporting this issue.

Apache ShenYu (incubating) missing authentication allows gateway registration

CVE-2022-23945 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-26T06:39:24.870Z

Affected

  • Apache ShenYu (incubating) from Apache ShenYu (incubating) before 2.4.2

Description

Missing authentication on ShenYu Admin when a gateway registers. So, if ShenYu Admin is exposed to the internet, it will allow any user to register as the gateway. This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

References

Apache ShenYu (incubating) Improper access control

CVE-2022-23944 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-26T06:27:42.604Z

Affected

  • Apache ShenYu (incubating) from Apache ShenYu (incubating) before 2.4.2

Description

Any user can access /plugin API without authentication. The project use Shiro to authenticate, but the default WhiteLists are defineded in application include /plugin path. So everybody can access /plugin API which will list the details of all plugins include id, name, config (may include password). We can also add a new plugin with POST method while using /plugin API. This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

References

Apache ShenYu (incubating) Password leakage

CVE-2022-23223 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-26T06:44:20.022Z

Affected

  • Apache ShenYu (incubating) from Apache ShenYu (incubating) before 2.4.2

Description

The HTTP response will disclose the user password. When users send the request like the following URL “dashboardUser?currentPage=1&pageSize=12”, the response will disclose all the passwords of the users. This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

References

Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection

CVE-2021-45029 [CVE] [CVE json] [OSV json]

Last updated: 2022-01-26T06:19:24.052Z

Affected

  • Apache ShenYu (incubating) from Apache ShenYu (incubating) before 2.4.2

Description

Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. Apache ShenYu (incubating) provides some plugins, and we can define our own Selectors And Rules in which we can set some condition match including “match = regEx like contain SpEL Groovy”. There are no filters to avoid Remote Code Execution before parseExpression and Eval.me. This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.

References

Apache ShenYu Admin bypass JWT authentication

CVE-2021-37580 [CVE] [CVE json] [OSV json]

Last updated: 2021-11-16T09:33:35.582Z

Affected

  • Apache ShenYu Admin at 2.3.0-2.4.0

Description

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

References

Credits

  • This issue was reported by 伍 雄