Auth bypass in Apache Software Foundation Shenyu (Incubating)

CVE-2022-23944

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Vulnerability class: Broken Access Control

EPSS: 0.899 (99.6th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Shenyu (Incubating) — versions Apache ShenYu (incubating)

Weakness classification (CWE)

CWE-862 — Missing Authorization

Public proof-of-concept exploits

References

lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y (x_refsource_MISC)
[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control (mailing-list, x_refsource_MLIST)
[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control (mailing-list, x_refsource_MLIST)
[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2022-23944?: CVE-2022-23944 is a vulnerability in Apache Software Foundation Shenyu (Incubating), classified under Missing Authorization. Published 2022-01-25.
Is CVE-2022-23944 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.