ByteOS Network

Vulnerability Details :

CVE-2022-23944

Summary

Assigner-apache

Assigner Org ID-f0158376-9dc2-43b6-827c-5f631a4d8d09

Published At-25 Jan, 2022 | 13:00

Updated At-03 Aug, 2024 | 03:59

Apache ShenYu 2.4.1 Improper access control

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:apache

Assigner Org ID:f0158376-9dc2-43b6-827c-5f631a4d8d09

Published At:25 Jan, 2022 | 13:00

Updated At:03 Aug, 2024 | 03:59

▼CVE Numbering Authority (CNA)

Apache ShenYu 2.4.1 Improper access control

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Affected Products

Vendor

The Apache Software Foundation

Product

Apache ShenYu (incubating)

Versions

Affected

From Apache ShenYu (incubating) before 2.4.2 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-862	CWE-862 Missing Authorization

Type: CWE

CWE ID: CWE-862

Description: CWE-862 Missing Authorization

References

Hyperlink	Resource
https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/01/25/5	mailing-list x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2022/01/25/15	mailing-list x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2022/01/26/2	mailing-list x_refsource_MLIST

Hyperlink: https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y

Resource:

x_refsource_MISC

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/25/5

Resource:

mailing-list

x_refsource_MLIST

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/25/15

Resource:

mailing-list

x_refsource_MLIST

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/26/2

Resource:

mailing-list

x_refsource_MLIST

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y	x_refsource_MISC x_transferred
http://www.openwall.com/lists/oss-security/2022/01/25/5	mailing-list x_refsource_MLIST x_transferred
http://www.openwall.com/lists/oss-security/2022/01/25/15	mailing-list x_refsource_MLIST x_transferred
http://www.openwall.com/lists/oss-security/2022/01/26/2	mailing-list x_refsource_MLIST x_transferred

Hyperlink: https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y

Resource:

x_refsource_MISC

x_transferred

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/25/5

Resource:

mailing-list

x_refsource_MLIST

x_transferred

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/25/15

Resource:

mailing-list

x_refsource_MLIST

x_transferred

Hyperlink: http://www.openwall.com/lists/oss-security/2022/01/26/2

Resource:

mailing-list

x_refsource_MLIST

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@apache.org

Published At:25 Jan, 2022 | 13:15

Updated At:01 Feb, 2022 | 14:28

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary	2.0	6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N

Type: Primary

Version: 3.1

Base score: 9.1

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Type: Primary

Version: 2.0

Base score: 6.4

Base severity: MEDIUM

Vector:

AV:N/AC:L/Au:N/C:P/I:P/A:N

CPE Matches

The Apache Software Foundation

>>shenyu>>2.4.0

cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*

The Apache Software Foundation

>>shenyu>>2.4.1

cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-306	Primary	nvd@nist.gov
CWE-862	Secondary	security@apache.org

CWE ID: CWE-306

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-862

Type: Secondary