Apache Shenyu
By the Year
In 2024 there have been 0 vulnerabilities in Apache Shenyu . Last year Shenyu had 2 security vulnerabilities published. Right now, Shenyu is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 2 | 7.65 |
2022 | 6 | 8.37 |
2021 | 1 | 9.80 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Shenyu vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Shenyu Security Vulnerabilities
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint
CVE-2023-25753
6.5 - Medium
- October 19, 2023
There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.5.1. Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .
XSPA
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu
CVE-2022-42735
8.8 - High
- February 15, 2023
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
Improper Privilege Management
Apache ShenYu Admin has insecure permissions, which may
CVE-2022-37435
8.8 - High
- September 01, 2022
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
Incorrect Permission Assignment for Critical Resource
In Apache ShenYui
CVE-2022-26650
7.5 - High
- May 17, 2022
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
ReDoS
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution
CVE-2021-45029
9.8 - Critical
- January 25, 2022
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Code Injection
User can access /plugin api without authentication
CVE-2022-23944
9.1 - Critical
- January 25, 2022
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Missing Authentication for Critical Function
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users
CVE-2022-23223
7.5 - High
- January 25, 2022
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
Insufficiently Protected Credentials
Missing authentication on ShenYu Admin when register by HTTP
CVE-2022-23945
7.5 - High
- January 25, 2022
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Missing Authentication for Critical Function
A flaw was found in Apache ShenYu Admin
CVE-2021-37580
9.8 - Critical
- November 16, 2021
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Shenyu or by Apache? Click the Watch button to subscribe.