Description:
User can access /plugin api without authentication This issue
affected Apache ShenYu 240 and 241
--
Zhang Yonglun
Apache ShenYu (Incubating)
Apache ShardingSphere ...
Severity: moderate
Description:
Any user can access /plugin API without authentication The project
use Shiro to authenticate, but the default WhiteLists are defineded in
application include /plugin path
So everybody can access /plugin API which will list the details of all
plugins include id, name, config (may include password) We can also
ad ...
On 1/25/22 03:39, Zhang Yonglun wrote:
Thanks for informing oss-security of these issues, but good security
announcements have a little more detail, like what actions users or
distributors need to take (upgrade to a new version? what version?)
and information on where to find more details, like a bug id in your
bug tracker If you look at the a ...