Description

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.

Remediation

References

https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s

http://www.openwall.com/lists/oss-security/2022/01/25/7

http://www.openwall.com/lists/oss-security/2022/01/26/4

Related Vulnerabilities

CVE-2016-4467 Vulnerability in maven package org.apache.qpid:proton-project

CVE-2022-34792 Vulnerability in maven package org.jenkins-ci.plugins:recipe

CVE-2023-40351 Vulnerability in maven package org.jenkins-ci.plugins:favorite-view

CVE-2021-39149 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2022-37616 Vulnerability in npm package @xmldom/xmldom

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Vendor Advisory Third Party Advisory Exploit Patch