CVE-2022-23223

HIGH

Apache Shenyu < 2.4.2 - Insufficiently Protected Credentials

Title source: rule

Description

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later.

References (3)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/01/25/7

[Exploit, Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/01/26/4

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s

Scores

CVSS v3 7.5

EPSS 0.0455

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (3)

apache/shenyu

org.apache.shenyu/shenyu-common < 2.4.2Maven

Timeline

Published Jan 25, 2022

Tracked Since Feb 18, 2026