{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "Apache ShenYu (incubating) ",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.4.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache ShenYu would like to thank Lai Han of NSFOCUS security team <laihan4396@gmail.com> for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In ShenYu-Bootstrap there's RegexPredicateJudge.java which uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. \nThis issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "Not found",
        "shortName": "Not found"
      },
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache ShenYu (incubating) Regular expression denial of service",
      "workarounds": [
        {
          "lang": "en",
          "value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
        }
      ],
      "x_ValidationErrors": [
        "$.cveMetadata.assignerOrgId -- validator = pattern",
        "$.containers.cna.providerMetadata.orgId -- validator = pattern",
        "$.containers.cna -- validator = required"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CNA_private": {
          "CVE_list": [],
          "CVE_table_description": [],
          "email": "",
          "emailed": "",
          "internal_comments": "",
          "owner": "shenyu",
          "publish": {
            "month": "",
            "year": "",
            "ym": ""
          },
          "share_with_CVE": true,
          "todo": [],
          "userslist": ""
        },
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "security@apache.org",
          "DATE_PUBLIC": "",
          "ID": "CVE-2022-26650",
          "STATE": "PUBLIC",
          "TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache ShenYu (incubating) ",
                      "version": {
                        "version_data": [
                          {
                            "platform": "",
                            "version_affected": "<",
                            "version_name": "",
                            "version_value": "2.4.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "Apache ShenYu would like to thank Lai Han of NSFOCUS security team <laihan4396@gmail.com> for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In ShenYu-Bootstrap there's RegexPredicateJudge.java which uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. \nThis issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "",
              "refsource": "CONFIRM",
              "url": ""
            }
          ]
        },
        "solution": [],
        "source": {
          "advisory": "",
          "defect": [],
          "discovery": "UNKNOWN"
        },
        "timeline": [],
        "work_around": [
          {
            "lang": "en",
            "value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "Not found",
    "assignerShortName": "Not found",
    "cveId": "CVE-2022-26650",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.0"
}