Description

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/01/25/7

http://www.openwall.com/lists/oss-security/2022/01/26/4

https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s

Related Vulnerabilities

CVE-2019-10422 Vulnerability in maven package org.ukiuni.callotherjenkins:call-remote-job-plugin

CVE-2019-10283 Vulnerability in maven package com.mabl.integration.jenkins:mabl-integration

CVE-2020-7749 Vulnerability in npm package osm-static-maps

CVE-2023-40349 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

CVE-2020-1935 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Exploit Patch Vendor Advisory