Details of VAR-202205-1369

ID

VAR-202205-1369

CVE

CVE-2022-26650

TITLE

Apache ShenYu Denial of Service Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-41632

DESCRIPTION

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3. Apache ShenYu is an asynchronous, high-performance, cross-language, reactive API gateway of the Apache Foundation. A denial of service vulnerability exists in Apache ShenYu, which is caused by not properly handling the input error message

Trust: 1.53

sources: NVD: CVE-2022-26650 // CNVD: CNVD-2022-41632 // VULMON: CVE-2022-26650

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-41632

AFFECTED PRODUCTS

vendor:	apache	model:	shenyu	scope:	eq	version:	2.4.0	Trust: 1.6
vendor:	apache	model:	shenyu	scope:	eq	version:	2.4.1	Trust: 1.6
vendor:	apache	model:	shenyu	scope:	eq	version:	2.4.2	Trust: 1.6

sources: CNVD: CNVD-2022-41632 // NVD: CVE-2022-26650

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-26650
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2022-41632
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202205-3542
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-26650
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-26650
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2022-41632
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-26650
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-41632 // VULMON: CVE-2022-26650 // CNNVD: CNNVD-202205-3542 // NVD: CVE-2022-26650

PROBLEMTYPE DATA

problemtype:

CWE-1333

Trust: 1.0

sources: NVD: CVE-2022-26650

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-3542

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202205-3542

PATCH

title:	Patch for Apache ShenYu Denial of Service Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/334086	Trust: 0.6
title:	Apache ShenYu Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=194105	Trust: 0.6

sources: CNVD: CNVD-2022-41632 // CNNVD: CNNVD-202205-3542

EXTERNAL IDS

db:	NVD	id:	CVE-2022-26650	Trust: 2.3
db:	OPENWALL	id:	OSS-SECURITY/2022/05/17/3	Trust: 1.7
db:	CNVD	id:	CNVD-2022-41632	Trust: 0.6
db:	CS-HELP	id:	SB2022051722	Trust: 0.6
db:	CNNVD	id:	CNNVD-202205-3542	Trust: 0.6
db:	VULMON	id:	CVE-2022-26650	Trust: 0.1

sources: CNVD: CNVD-2022-41632 // VULMON: CVE-2022-26650 // CNNVD: CNNVD-202205-3542 // NVD: CVE-2022-26650

REFERENCES

url:	https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673	Trust: 1.7
url:	http://www.openwall.com/lists/oss-security/2022/05/17/3	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2022-26650	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-26650/	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022051722	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/862.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2022-41632 // VULMON: CVE-2022-26650 // CNNVD: CNNVD-202205-3542 // NVD: CVE-2022-26650

SOURCES

db:	CNVD	id:	CNVD-2022-41632
db:	VULMON	id:	CVE-2022-26650
db:	CNNVD	id:	CNNVD-202205-3542
db:	NVD	id:	CVE-2022-26650

LAST UPDATE DATE

2024-11-23T22:04:50.012000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-41632	date:	2022-05-28T00:00:00
db:	VULMON	id:	CVE-2022-26650	date:	2022-05-25T00:00:00
db:	CNNVD	id:	CNNVD-202205-3542	date:	2023-07-12T00:00:00
db:	NVD	id:	CVE-2022-26650	date:	2024-11-21T06:54:15.510

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-41632	date:	2022-05-28T00:00:00
db:	VULMON	id:	CVE-2022-26650	date:	2022-05-17T00:00:00
db:	CNNVD	id:	CNNVD-202205-3542	date:	2022-05-17T00:00:00
db:	NVD	id:	CVE-2022-26650	date:	2022-05-17T08:15:06.423