It has been discovered that Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. It has been discovered that Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. It has been discovered that Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. It has been discovered that Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. It has been discovered that Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. It has been discovered that Apache ShenYu Admin has insecure permissions, which may allow low-privilege administrators to modify high-privilege administrator's passwords. This issue affects Apache ShenYu 2.4.2 and 2.4.3. It has been discovered that Apache
New Shenyu 2.5 features
New features in Shenyu 2.5 include an improved security model, better stability, and a new role-based administration functionality.
This new functionality allows the system to be configured with roles that are able to perform certain tasks but not others. For example, when configuring a role, you can configure it so that it is allowed to create user accounts but not delete them. High-privilege administrators can be configured in this manner as well.
There has also been a lot of work done on improving the overall stability of Apache ShenYu. While this does not directly affect the vulnerability described above, it does help prevent other vulnerabilities from occurring.
Overview of CVE-2022-37435
CVE-2022-37435 is a security vulnerability in Apache ShenYu Admin. This vulnerability affects Apache ShenYu 2.4.2 and 2.4.3, which are used by many organizations and can be found on the official website at http://www.apache-shenyu.net/download/. The issue impacts all users of this software and allows low-privilege administrators to modify high-privilege administrator's passwords without authentication.
The vulnerability exists because the application lacks proper permission checks in certain components of the administrative interface (e.g., the password change page). This allows low-privilege administrators to access high-privilege administrator's account information without authentication, thus allowing them to change their passwords without authorization or knowledge of the subject's password hash.
In summary, it is possible for an attacker with low privileges to reset high privilege administrator's passwords or prevent them from logging in, even if they have changed their password after installation or update of Apache ShenYu Admin 2.4.2 and 2.4.3.
Timeline
Published on: 09/01/2022 14:15:00 UTC
Last modified on: 09/09/2022 14:18:00 UTC