org.apache.shenyu:shenyu-common@2.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shenyu:shenyu-common package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /sandbox/proxyGateway endpoint. An attacker can manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. This effectively grants the attacker the capability to dispatch complete HTTP requests to hosts of their choosing.

Note:

This is only exploitable if the HTTP method, cookies, IP address, and headers are under the attacker's control.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.apache.shenyu:shenyu-common to version 2.6.0 or higher.

[,2.6.0)
  • M
Improper Authentication

Affected versions of this package are vulnerable to Improper Authentication during gateway registration. This may allow any user to register as the gateway.

How to fix Improper Authentication?

Upgrade org.apache.shenyu:shenyu-common to version 2.4.2 or higher.

[2.4.0,2.4.2)
  • C
Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authentication on ShenYu Admin, which allows leakage of user passwords in HTTP responses.

How to fix Access Restriction Bypass?

Upgrade org.apache.shenyu:shenyu-common to version 2.4.2 or higher.

[,2.4.2)