Description
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/01/25/7
http://www.openwall.com/lists/oss-security/2022/01/26/4
https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s
Related Vulnerabilities
CVE-2020-10672 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2022-4493 Vulnerability in maven package io.scif:scifio
CVE-2019-10468 Vulnerability in maven package com.elasticbox.jenkins-ci.plugins:kubernetes-ci
CVE-2023-30518 Vulnerability in maven package io.jenkins.plugins:thycotic-secret-server
CVE-2019-10369 Vulnerability in maven package org.jenkins-ci.plugins:jclouds-jenkins