Description
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.
Remediation
References
http://www.openwall.com/lists/oss-security/2022/01/25/7
http://www.openwall.com/lists/oss-security/2022/01/26/4
https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s
Related Vulnerabilities
CVE-2021-30074 Vulnerability in npm package docsify
CVE-2020-17510 Vulnerability in maven package org.apache.shiro:shiro-spring-boot-web-starter
CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-beans
CVE-2023-31065 Vulnerability in maven package org.apache.inlong:manager-web
CVE-2022-31147 Vulnerability in maven package org.webjars:jquery-validation