Apache Shenyu
By the Year
In 2023 there have been 1 vulnerability in Apache Shenyu with an average score of 8.8 out of ten. Last year Shenyu had 6 security vulnerabilities published. Right now, Shenyu is on track to have less security vulnerabilities in 2023 than it did last year. However, the average CVE base score of the vulnerabilities in 2023 is greater by 0.43.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 1 | 8.80 |
| 2022 | 6 | 8.37 |
| 2021 | 1 | 9.80 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Shenyu vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Shenyu Security Vulnerabilities
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu
CVE-2022-42735
8.8 - High
- February 15, 2023
Improper Privilege Management vulnerability in Apache Software Foundation Apache ShenYu. ShenYu Admin allows low-privilege low-level administrators create users with higher privileges than their own. This issue affects Apache ShenYu: 2.5.0. Upgrade to Apache ShenYu 2.5.1 or apply patch https://github.com/apache/shenyu/pull/3958 https://github.com/apache/shenyu/pull/3958 .
Apache ShenYu Admin has insecure permissions, which may
CVE-2022-37435
8.8 - High
- September 01, 2022
Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3.
Improper Privilege Management
In Apache ShenYui
CVE-2022-26650
7.5 - High
- May 17, 2022
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
AuthZ
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution
CVE-2021-45029
9.8 - Critical
- January 25, 2022
Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Code Injection
User can access /plugin api without authentication
CVE-2022-23944
9.1 - Critical
- January 25, 2022
User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Missing Authentication for Critical Function
The HTTP response will disclose the user password
CVE-2022-23223
7.5 - High
- January 25, 2022
The HTTP response will disclose the user password. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Insufficiently Protected Credentials
Missing authentication on ShenYu Admin when register by HTTP
CVE-2022-23945
7.5 - High
- January 25, 2022
Missing authentication on ShenYu Admin when register by HTTP. This issue affected Apache ShenYu 2.4.0 and 2.4.1.
Missing Authentication for Critical Function
A flaw was found in Apache ShenYu Admin
CVE-2021-37580
9.8 - Critical
- November 16, 2021
A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Shenyu or by Apache? Click the Watch button to subscribe.
