Description

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/01/25/7

http://www.openwall.com/lists/oss-security/2022/01/26/4

https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s

Related Vulnerabilities

CVE-2021-21293 Vulnerability in maven package org.http4s:blaze-core_2.13

CVE-2021-23353 Vulnerability in maven package org.webjars.bower:jspdf

CVE-2019-11269 Vulnerability in maven package org.springframework.security.oauth:spring-security-oauth2

CVE-2023-33008 Vulnerability in maven package org.apache.johnzon:johnzon

CVE-2020-7622 Vulnerability in maven package io.jooby:jooby-netty

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Exploit Patch Vendor Advisory