Description

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/01/25/7

http://www.openwall.com/lists/oss-security/2022/01/26/4

https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s

Related Vulnerabilities

CVE-2022-37616 Vulnerability in maven package org.webjars.npm:xmldom__xmldom

CVE-2022-39236 Vulnerability in npm package matrix-js-sdk

CVE-2021-44878 Vulnerability in maven package org.pac4j:pac4j-core

CVE-2020-28424 Vulnerability in npm package s3-kilatstorage

CVE-2022-39313 Vulnerability in npm package parse-server

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Exploit Patch Vendor Advisory