CVE-2022-23944 - Vulnerability Details - OpenCVE

ReportizFlow

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Shenyu

Configuration 1 [-]

OR	cpe:2.3:a:apache:shenyu:2.4.0:::::::*
	cpe:2.3:a:apache:shenyu:2.4.1:::::::*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/01/25/15
http://www.openwall.com/lists/oss-security/2022/01/25/5
http://www.openwall.com/lists/oss-security/2022/01/26/2
https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-25T13:00:24.000Z

Updated: 2024-08-03T03:59:23.263Z

Reserved: 2022-01-25T00:00:00.000Z

Link: CVE-2022-23944

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-25T13:15:08.183

Modified: 2026-06-17T04:31:01.757

Link: CVE-2022-23944

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache ShenYu (incubating)", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.4.2", "status": "affected", "version": "Apache ShenYu (incubating)", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-26T12:06:15.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"}, {"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"}, {"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"}, {"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ShenYu 2.4.1 Improper access control", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2022-23944", "STATE": "PUBLIC", "TITLE": "Apache ShenYu 2.4.1 Improper access control"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache ShenYu (incubating)", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache ShenYu (incubating)", "version_value": "2.4.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862 Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y", "refsource": "MISC", "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"}, {"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"}, {"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"}, {"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:59:23.263Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"}, {"name": "[oss-security] 20220125 CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"}, {"name": "[oss-security] 20220125 Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"}, {"name": "[oss-security] 20220126 CVE-2022-23944: Apache ShenYu (incubating) Improper access control", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-23944", "datePublished": "2022-01-25T13:00:24.000Z", "dateReserved": "2022-01-25T00:00:00.000Z", "dateUpdated": "2024-08-03T03:59:23.263Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"product": "Apache ShenYu (incubating)", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.4.2", "status": "affected", "version": "Apache ShenYu (incubating)", "versionType": "custom"}]}], "source": "[email protected]"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "D62E2029-6764-4E44-8F6B-2C9287AA98E9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1."}, {"lang": "es", "value": "Un usuario puede acceder a /plugin api sin autenticaci\u00f3n. Este problema afecta a Apache ShenYu versiones 2.4.0 y 2.4.1"}], "id": "CVE-2022-23944", "lastModified": "2026-06-17T04:31:01.757", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-01-25T13:15:08.183", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"}, {"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"}, {"source": "[email protected]", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"}, {"source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/25/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/26/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/dbrjnnlrf80dr0f92k5r2ysfvf1kr67y"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "[email protected]", "type": "Primary"}]}