org.apache.shenyu:shenyu-admin 2.4.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shenyu:shenyu-admin package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `/sandbox/proxyGateway` endpoint. An attacker can manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the `requestUrl` parameter. This effectively grants the attacker the capability to dispatch complete HTTP requests to hosts of their choosing. Note: This is only exploitable if the HTTP method, cookies, IP address, and headers are under the attacker's control. How to fix Server-side Request Forgery (SSRF)? Upgrade `org.apache.shenyu:shenyu-admin` to version 2.6.0 or higher.	[,2.6.0)
M Improper Privilege Management Affected versions of this package are vulnerable to Improper Privilege Management by allowing low-privilege low-level administrators to create users with higher privileges than their own. How to fix Improper Privilege Management? Upgrade `org.apache.shenyu:shenyu-admin` to version 2.5.1 or higher.	[,2.5.1)
C Access Restriction Bypass Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authentication on ShenYu Admin, which allows leakage of user passwords in HTTP responses. How to fix Access Restriction Bypass? Upgrade `org.apache.shenyu:shenyu-admin` to version 2.4.2 or higher.	[,2.4.2)
C Arbitrary Code Execution Affected versions of this package are vulnerable to Arbitrary Code Execution via the `Groovy Code` & `SpEL` plugins, which allowed for command injections. How to fix Arbitrary Code Execution? Upgrade `org.apache.shenyu:shenyu-admin` to version 2.4.2 or higher.	[,2.4.2)
C MIssing Authorization Affected versions of this package are vulnerable to MIssing Authorization. User can access /plugin api without authentication from the whitelist interface of Shenyu admin. How to fix MIssing Authorization? Upgrade `org.apache.shenyu:shenyu-admin` to version 2.4.2 or higher.	[,2.4.2)
H Access Restriction Bypass Affected versions of this package are vulnerable to Access Restriction Bypass via incorrect use of JWT in ShenyuAdminBootstrap which allows an attacker to bypass authentication. How to fix Access Restriction Bypass? Upgrade `org.apache.shenyu:shenyu-admin` to version 2.4.2 or higher.	[2.3.0,2.4.2)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /sandbox/proxyGateway endpoint. An attacker can manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. This effectively grants the attacker the capability to dispatch complete HTTP requests to hosts of their choosing.

Note:

This is only exploitable if the HTTP method, cookies, IP address, and headers are under the attacker's control.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.apache.shenyu:shenyu-admin to version 2.6.0 or higher.

[,2.6.0)

Improper Privilege Management

Affected versions of this package are vulnerable to Improper Privilege Management by allowing low-privilege low-level administrators to create users with higher privileges than their own.

How to fix Improper Privilege Management?

Upgrade org.apache.shenyu:shenyu-admin to version 2.5.1 or higher.

[,2.5.1)

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authentication on ShenYu Admin, which allows leakage of user passwords in HTTP responses.

How to fix Access Restriction Bypass?

Upgrade org.apache.shenyu:shenyu-admin to version 2.4.2 or higher.

[,2.4.2)

Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution via the Groovy Code & SpEL plugins, which allowed for command injections.

How to fix Arbitrary Code Execution?

Upgrade org.apache.shenyu:shenyu-admin to version 2.4.2 or higher.

[,2.4.2)

MIssing Authorization

Affected versions of this package are vulnerable to MIssing Authorization. User can access /plugin api without authentication from the whitelist interface of Shenyu admin.

How to fix MIssing Authorization?

Upgrade org.apache.shenyu:shenyu-admin to version 2.4.2 or higher.

[,2.4.2)

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass via incorrect use of JWT in ShenyuAdminBootstrap which allows an attacker to bypass authentication.

How to fix Access Restriction Bypass?

Upgrade org.apache.shenyu:shenyu-admin to version 2.4.2 or higher.

[2.3.0,2.4.2)

org.apache.shenyu:shenyu-admin@2.4.1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?