Description

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/01/25/7

http://www.openwall.com/lists/oss-security/2022/01/26/4

https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s

Related Vulnerabilities

CVE-2019-10318 Vulnerability in maven package org.jenkins-ci.plugins:azure-ad

CVE-2020-8141 Vulnerability in maven package org.webjars.npm:dot

CVE-2023-50774 Vulnerability in maven package org.jenkins-ci.plugins:htmlresource

CVE-2019-1003059 Vulnerability in maven package org.jvnet.hudson.plugins:ftppublisher

CVE-2020-8203 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Exploit Patch Vendor Advisory