Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-23944

CWE-862Missing AuthorizationCWE-306Missing Authentication5 documents5 sources
Severity
9.1CRITICAL
EPSS
90.2%
top 0.40%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache Shenyu (incubating)Apache Shenyu
Timeline
PublishedJan 25
Latest updateJan 28

Description

User can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

Mavenorg.apache.shenyu:shenyu-common2.4.02.4.2
CVEListV5apache_software_foundation/apache_shenyu_(incubating)Apache ShenYu (incubating)2.4.2
NVDapache/shenyu2.4.0, 2.4.1+1

Patches

Patch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

3
OSV
Missing authentication in ShenYu2022-01-28
GHSA
Missing authentication in ShenYu2022-01-28
CVEList
Apache ShenYu 2.4.1 Improper access control2022-01-25

💥Exploits & PoCs

1
Nuclei
Apache ShenYu Admin Unauth Access