Apache ShenYu JWT Authentication Vulnerability (CVE-2021-37580)

News 2023-07-28 22:11:52 views: null

0x01 vulnerability description

Apache ShenYu is a scalable, high-performance, and responsive API gateway solution for all microservice scenarios.

Apache ShenYu Admin has an authentication bypass vulnerability** (CVE-2021-37580)* , and the CVSS score of this vulnerability is 9.8*** . Since the wrong use of JWT in ShenyuAdminBootstrap allows attackers to bypass authentication, attackers can directly enter the system background through this vulnerability.

0x02 affects the version

Apache ShenYu 2.3.0

Apache ShenYu 2.4.0

0x03 Vulnerability recurrence

Fofa search title

body=“id=“httpPath””&&body=“th:text=”${domain}""

image-20211122090556150

Verify POC:

/dashboardUser

image-20211122090522526

repair

upgrade to latest version

Guess you like

Origin blog.csdn.net/god_zzZ/article/details/121502462
Recommended
Ranking
iframe let subpages parent page jump parent.location.href
Android Studio connects to Tomcat server in Springboot Failed to connect to XXX
Introduction to the use of Axure components, login interface and drawing of personal resume
Unreal Engine UE problem collection (continuously added)
day72 importlib module
IntelliJ ideaIC / ideaIU download and activation crack
Typescript 静态属性&方法 多态 抽象类
TestNg use annotations
FiscoBcos uses Go to call contracts
Binary-thirds Find
Daily
More
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)

Code World

© 2018 codetd.com