Details of VAR-202201-0596

ID

VAR-202201-0596

CVE

CVE-2022-23223

TITLE

Apache ShenYu Information Disclosure Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-18268 // CNNVD: CNNVD-202201-2306

DESCRIPTION

On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. Apache ShenYu There are vulnerabilities in inadequate protection of credentials.Information may be obtained. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. There is an information disclosure vulnerability in Apache ShenYu in versions 2.4.0 and 2.4.1, which originates from errors in the configuration of network systems or products during operation. An attacker could exploit this vulnerability to see the user's password in the HTTP response

Trust: 2.25

sources: NVD: CVE-2022-23223 // JVNDB: JVNDB-2022-004182 // CNVD: CNVD-2022-18268 // VULMON: CVE-2022-23223

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-18268

AFFECTED PRODUCTS

vendor:	apache	model:	shenyu	scope:	eq	version:	2.4.0	Trust: 2.4
vendor:	apache	model:	shenyu	scope:	eq	version:	2.4.1	Trust: 2.4
vendor:	apache	model:	shenyu	scope:	eq	version:	-	Trust: 0.8

sources: CNVD: CNVD-2022-18268 // JVNDB: JVNDB-2022-004182 // NVD: CVE-2022-23223

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-23223
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-23223
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-18268
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202201-2306
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-23223
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-23223
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-18268
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-23223
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2022-23223
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-18268 // VULMON: CVE-2022-23223 // JVNDB: JVNDB-2022-004182 // CNNVD: CNNVD-202201-2306 // NVD: CVE-2022-23223

PROBLEMTYPE DATA

problemtype:	CWE-522	Trust: 1.0
problemtype:	Inadequate protection of credentials (CWE-522) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-004182 // NVD: CVE-2022-23223

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-2306

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-202201-2306

PATCH

title:	CVE-2022-23223	url:	https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s	Trust: 0.8
title:	Patch for Apache ShenYu Information Disclosure Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/324656	Trust: 0.6
title:	Apache ShenYu Repair measures for information disclosure vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=180314	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: CNVD: CNVD-2022-18268 // VULMON: CVE-2022-23223 // JVNDB: JVNDB-2022-004182 // CNNVD: CNNVD-202201-2306

EXTERNAL IDS

db:	NVD	id:	CVE-2022-23223	Trust: 3.9
db:	OPENWALL	id:	OSS-SECURITY/2022/01/26/4	Trust: 2.5
db:	OPENWALL	id:	OSS-SECURITY/2022/01/25/7	Trust: 1.7
db:	JVNDB	id:	JVNDB-2022-004182	Trust: 0.8
db:	CNVD	id:	CNVD-2022-18268	Trust: 0.6
db:	CS-HELP	id:	SB2022012522	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-2306	Trust: 0.6
db:	VULMON	id:	CVE-2022-23223	Trust: 0.1

sources: CNVD: CNVD-2022-18268 // VULMON: CVE-2022-23223 // JVNDB: JVNDB-2022-004182 // CNNVD: CNNVD-202201-2306 // NVD: CVE-2022-23223

REFERENCES

url:	http://www.openwall.com/lists/oss-security/2022/01/26/4	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-23223	Trust: 2.0
url:	https://lists.apache.org/thread/q2gg6ny6lpkph7nkrvjzqdvqpm805v8s	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2022/01/25/7	Trust: 1.7
url:	https://www.cybersecurity-help.cz/vdb/sb2022012522	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/522.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: CNVD: CNVD-2022-18268 // VULMON: CVE-2022-23223 // JVNDB: JVNDB-2022-004182 // CNNVD: CNNVD-202201-2306 // NVD: CVE-2022-23223

SOURCES

db:	CNVD	id:	CNVD-2022-18268
db:	VULMON	id:	CVE-2022-23223
db:	JVNDB	id:	JVNDB-2022-004182
db:	CNNVD	id:	CNNVD-202201-2306
db:	NVD	id:	CVE-2022-23223

LAST UPDATE DATE

2024-11-23T22:20:40.983000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-18268	date:	2022-03-11T00:00:00
db:	VULMON	id:	CVE-2022-23223	date:	2023-10-16T00:00:00
db:	JVNDB	id:	JVNDB-2022-004182	date:	2023-03-28T03:23:00
db:	CNNVD	id:	CNNVD-202201-2306	date:	2023-07-14T00:00:00
db:	NVD	id:	CVE-2022-23223	date:	2024-11-21T06:48:13.633

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-18268	date:	2022-03-10T00:00:00
db:	VULMON	id:	CVE-2022-23223	date:	2022-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-004182	date:	2023-03-28T00:00:00
db:	CNNVD	id:	CNNVD-202201-2306	date:	2022-01-25T00:00:00
db:	NVD	id:	CVE-2022-23223	date:	2022-01-25T13:15:08.137