{"schema_version": "1.6.1", "id": "CVE-2022-23944", "summary": "Apache ShenYu (incubating) Improper access control", "details": "Any user can access /plugin API without authentication. The project use Shiro to authenticate, but the default WhiteLists are defineded in application include /plugin path.\nSo everybody can access /plugin API which will list the details of all  plugins include id, name, config (may include password). We can also add a new plugin with  POST method while using /plugin API. \nThis issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache ShenYu (incubating)"}, {"fixed": "2.4.2"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"}]}