org.apache.shenyu:shenyu-common 2.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.shenyu:shenyu-common package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `/sandbox/proxyGateway` endpoint. An attacker can manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the `requestUrl` parameter. This effectively grants the attacker the capability to dispatch complete HTTP requests to hosts of their choosing. Note: This is only exploitable if the HTTP method, cookies, IP address, and headers are under the attacker's control. How to fix Server-side Request Forgery (SSRF)? Upgrade `org.apache.shenyu:shenyu-common` to version 2.6.0 or higher.	[,2.6.0)
M Improper Authentication Affected versions of this package are vulnerable to Improper Authentication during gateway registration. This may allow any user to register as the gateway. How to fix Improper Authentication? Upgrade `org.apache.shenyu:shenyu-common` to version 2.4.2 or higher.	[2.4.0,2.4.2)
C Access Restriction Bypass Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authentication on ShenYu Admin, which allows leakage of user passwords in HTTP responses. How to fix Access Restriction Bypass? Upgrade `org.apache.shenyu:shenyu-common` to version 2.4.2 or higher.	[,2.4.2)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /sandbox/proxyGateway endpoint. An attacker can manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. This effectively grants the attacker the capability to dispatch complete HTTP requests to hosts of their choosing.

Note:

This is only exploitable if the HTTP method, cookies, IP address, and headers are under the attacker's control.

How to fix Server-side Request Forgery (SSRF)?

Upgrade org.apache.shenyu:shenyu-common to version 2.6.0 or higher.

[,2.6.0)

Improper Authentication

Affected versions of this package are vulnerable to Improper Authentication during gateway registration. This may allow any user to register as the gateway.

How to fix Improper Authentication?

Upgrade org.apache.shenyu:shenyu-common to version 2.4.2 or higher.

[2.4.0,2.4.2)

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass due to missing authentication on ShenYu Admin, which allows leakage of user passwords in HTTP responses.

How to fix Access Restriction Bypass?

Upgrade org.apache.shenyu:shenyu-common to version 2.4.2 or higher.

[,2.4.2)

org.apache.shenyu:shenyu-common@2.4.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?