Shenyu Apache Shenyu

Do you want an email whenever new security vulnerabilities are reported in Apache Shenyu?

By the Year

In 2023 there have been 1 vulnerability in Apache Shenyu with an average score of 8.8 out of ten. Last year Shenyu had 6 security vulnerabilities published. Right now, Shenyu is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.43.

Year Vulnerabilities Average Score
2023 1 8.80
2022 6 8.37
2021 1 9.80
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Shenyu vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Shenyu Security Vulnerabilities

Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu

CVE-2022-42735 8.8 - High - February 15, 2023

Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .

Apache ShenYu Admin has insecure permissions, which may

CVE-2022-37435 8.8 - High - September 01, 2022

Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.

Improper Privilege Management

In Apache ShenYui

CVE-2022-26650 7.5 - High - May 17, 2022

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

AuthZ

Groovy Code Injection & SpEL Injection which lead to Remote Code Execution

CVE-2021-45029 9.8 - Critical - January 25, 2022

Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Code Injection

User can access /plugin api without authentication

CVE-2022-23944 9.1 - Critical - January 25, 2022

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Missing Authentication for Critical Function

The HTTP response will disclose the user password

CVE-2022-23223 7.5 - High - January 25, 2022

The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Insufficiently Protected Credentials

Missing authentication on ShenYu Admin when register by HTTP

CVE-2022-23945 7.5 - High - January 25, 2022

Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Missing Authentication for Critical Function

A flaw was found in Apache ShenYu Admin

CVE-2021-37580 9.8 - Critical - November 16, 2021

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

authentification

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Shenyu or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Shenyu
Product

subscribe