Vulnerability-Lookup

CVE-2021-37580 (GCVE-0-2021-37580)

Vulnerability from cvelistv5 – Published: 2021-11-16 09:35 – Updated: 2024-08-04 01:23

Title

Apache ShenYu Admin bypass JWT authentication

Summary

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

Severity

No CVSS data available.

CWE

CWE-287 - Improper Authentication

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/o15j25qwtpcw62k48…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/11/16/1	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache ShenYu Admin	Affected: Apache ShenYu Admin 2.3.0-2.4.0

Credits

This issue was reported by 伍雄

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:23:01.186Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
          },
          {
            "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache ShenYu Admin",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache ShenYu Admin 2.3.0-2.4.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was reported by \u4f0d \u96c4"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-16T12:06:06.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
        },
        {
          "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache ShenYu Admin bypass JWT authentication",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-37580",
          "STATE": "PUBLIC",
          "TITLE": "Apache ShenYu Admin bypass JWT authentication"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache ShenYu Admin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "Apache ShenYu Admin",
                            "version_value": "2.3.0-2.4.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was reported by \u4f0d \u96c4"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287 Improper Authentication"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
            },
            {
              "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-37580",
    "datePublished": "2021-11-16T09:35:11.000Z",
    "dateReserved": "2021-07-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T01:23:01.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-37580",
      "date": "2026-05-30",
      "epss": "0.93993",
      "percentile": "0.99896"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7942402D-AEAF-4F59-BDEB-D61E7016C0AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FCB21C2B-B251-4982-902C-08EBB417FFEE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0\"}, {\"lang\": \"es\", \"value\": \"Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticaci\\u00f3n. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0\"}]",
      "id": "CVE-2021-37580",
      "lastModified": "2024-11-21T06:15:27.900",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-11-16T10:15:07.220",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/16/1\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/11/16/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-37580\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-11-16T10:15:07.220\",\"lastModified\":\"2024-11-21T06:15:27.900\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticaci\u00f3n. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7942402D-AEAF-4F59-BDEB-D61E7016C0AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FCB21C2B-B251-4982-902C-08EBB417FFEE\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/16/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/11/16/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2021-89682

Vulnerability from cnvd - Published: 2021-11-22

Title

Apache ShenYu授权问题漏洞

Description

Apache ShenYu是美国阿帕奇（Apache）基金会的一个异步的，高性能的，跨语言的，响应式的API网关。 Apache ShenYu Admin存在授权问题漏洞，该漏洞源于ShenyuAdminBootstrap中JWT的错误使用允许攻击者绕过身份验证。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Apache ShenYu授权问题漏洞的补丁

Patch Description

Apache ShenYu是美国阿帕奇（Apache）基金会的一个异步的，高性能的，跨语言的，响应式的API网关。 Apache ShenYu Admin存在授权问题漏洞，该漏洞源于ShenyuAdminBootstrap中JWT的错误使用允许攻击者绕过身份验证。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-37580

Impacted products

Name
['Apache shenyu 2.3.0', 'Apache shenyu 2.4.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-37580"
    }
  },
  "description": "Apache ShenYu\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f02\u6b65\u7684\uff0c\u9ad8\u6027\u80fd\u7684\uff0c\u8de8\u8bed\u8a00\u7684\uff0c\u54cd\u5e94\u5f0f\u7684API\u7f51\u5173\u3002\n\nApache ShenYu Admin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShenyuAdminBootstrap\u4e2dJWT\u7684\u9519\u8bef\u4f7f\u7528\u5141\u8bb8\u653b\u51fb\u8005\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-89682",
  "openTime": "2021-11-22",
  "patchDescription": "Apache ShenYu\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f02\u6b65\u7684\uff0c\u9ad8\u6027\u80fd\u7684\uff0c\u8de8\u8bed\u8a00\u7684\uff0c\u54cd\u5e94\u5f0f\u7684API\u7f51\u5173\u3002\r\n\r\nApache ShenYu Admin\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShenyuAdminBootstrap\u4e2dJWT\u7684\u9519\u8bef\u4f7f\u7528\u5141\u8bb8\u653b\u51fb\u8005\u7ed5\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache ShenYu\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache shenyu 2.3.0",
      "Apache shenyu 2.4.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-37580",
  "serverity": "\u9ad8",
  "submitTime": "2021-11-17",
  "title": "Apache ShenYu\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2021-37580

Vulnerability from fkie_nvd - Published: 2021-11-16 10:15 - Updated: 2024-11-21 06:15

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2021/11/16/1	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2021/11/16/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	shenyu	2.3.0
	apache	shenyu	2.4.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7942402D-AEAF-4F59-BDEB-D61E7016C0AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCB21C2B-B251-4982-902C-08EBB417FFEE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Apache ShenYu Admin. El uso incorrecto de JWT en ShenyuAdminBootstrap permite a un atacante omitir la autenticaci\u00f3n. Este problema afecta a Apache ShenYu versiones 2.3.0 y 2.4.0"
    }
  ],
  "id": "CVE-2021-37580",
  "lastModified": "2024-11-21T06:15:27.900",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-16T10:15:07.220",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-VPFP-5GWQ-G533

Vulnerability from github – Published: 2021-11-17 23:15 – Updated: 2023-09-05 22:18

Summary

Improper Authentication in Apache ShenYu Admin

Details

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0.

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shenyu:shenyu-admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T22:31:03Z",
    "nvd_published_at": "2021-11-16T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0.",
  "id": "GHSA-vpfp-5gwq-g533",
  "modified": "2023-09-05T22:18:19Z",
  "published": "2021-11-17T23:15:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/shenyu/commit/f78adb26926ba53b4ec5c21f2cf7e931461d601d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/shenyu"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/shenyu/releases/tag/v2.4.1"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Authentication in Apache ShenYu Admin"
}

GSD-2021-37580

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0

Aliases

CVE-2021-37580

Aliases

CVE-2021-37580

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-37580",
    "description": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0",
    "id": "GSD-2021-37580"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-37580"
      ],
      "details": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0",
      "id": "GSD-2021-37580",
      "modified": "2023-12-13T01:23:09.975298Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-37580",
        "STATE": "PUBLIC",
        "TITLE": "Apache ShenYu Admin bypass JWT authentication"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache ShenYu Admin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_name": "Apache ShenYu Admin",
                          "version_value": "2.3.0-2.4.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "This issue was reported by \u4f0d \u96c4"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {}
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287 Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
          },
          {
            "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.3.0,2.4.0]",
          "affected_versions": "All versions starting from 2.3.0 up to 2.4.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2021-11-17",
          "description": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in `ShenyuAdminBootstrap` allows an attacker to bypass authentication.",
          "fixed_versions": [
            "2.4.1"
          ],
          "identifier": "CVE-2021-37580",
          "identifiers": [
            "CVE-2021-37580"
          ],
          "not_impacted": "All versions before 2.3.0, all versions after 2.4.0",
          "package_slug": "maven/org.apache.shenyu/shenyu-admin",
          "pubdate": "2021-11-16",
          "solution": "Upgrade to version 2.4.1 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-37580",
            "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
            "http://www.openwall.com/lists/oss-security/2021/11/16/1"
          ],
          "uuid": "dabe7212-cd4a-4f17-ba1b-4b162b99ec54"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-37580"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
            },
            {
              "name": "[oss-security] 20211116 CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-17T20:17Z",
      "publishedDate": "2021-11-16T10:15Z"
    }
  }
}

VAR-202111-0822

Vulnerability from variot - Updated: 2023-12-18 11:57

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202111-0822",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "shenyu",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "apache",
        "version": "2.3.0"
      },
      {
        "model": "shenyu",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "apache",
        "version": "2.4.0"
      },
      {
        "model": "shenyu",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "apache",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:shenyu:2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "cve": "CVE-2021-37580",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 7.5,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2021-37580",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.9,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2021-89682",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2021-37580",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2021-37580",
            "trust": 1.8,
            "value": "CRITICAL"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2021-89682",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202111-1500",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2021-37580",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0. Apache ShenYu Admin There is an authentication vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Apache ShenYu is an asynchronous, high-performance, cross-language, and responsive API gateway of the Apache Foundation. No detailed vulnerability details are currently provided",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      }
    ],
    "trust": 2.25
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2021-37580",
        "trust": 3.9
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2021/11/16/1",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "id": "VAR-202111-0822",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      }
    ],
    "trust": 1.1079365399999999
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "Network device"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      }
    ]
  },
  "last_update_date": "2023-12-18T11:57:02.259000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "CVE-2021-37580",
        "trust": 0.8,
        "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
      },
      {
        "title": "Patch for Apache ShenYu authorization issue vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/300116"
      },
      {
        "title": "Apache ShenYu Remediation measures for authorization problem vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=170134"
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/liang2580/cve-2021-37580 "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/fengwenhua/cve-2021-37580 "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/rabbitsafe/cve-2021-37580 "
      },
      {
        "title": "westone-CVE-2021-37580-scanner",
        "trust": 0.1,
        "url": "https://github.com/osyanina/westone-cve-2021-37580-scanner "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/wing-song/cve-2021-37580 "
      },
      {
        "title": "CVE-2021-37580",
        "trust": 0.1,
        "url": "https://github.com/zororoz/cve-2021-37580 "
      },
      {
        "title": "langligelang",
        "trust": 0.1,
        "url": "https://github.com/langligelang/langligelang "
      },
      {
        "title": "db_script_v2",
        "trust": 0.1,
        "url": "https://github.com/ilovewomen/db_script_v2 "
      },
      {
        "title": "db_script_v2_2",
        "trust": 0.1,
        "url": "https://github.com/ilovewomen/db_script_v2_2 "
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-287",
        "trust": 1.0
      },
      {
        "problemtype": "Inappropriate authentication (CWE-287) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37580"
      },
      {
        "trust": 1.7,
        "url": "https://lists.apache.org/thread/o15j25qwtpcw62k48xw1tnv48skh3zgb"
      },
      {
        "trust": 1.7,
        "url": "http://www.openwall.com/lists/oss-security/2021/11/16/1"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/287.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/liang2580/cve-2021-37580"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-11-22T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "date": "2021-11-16T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "date": "2022-11-11T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "date": "2021-11-16T10:15:07.220000",
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "date": "2021-11-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-11-22T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2021-89682"
      },
      {
        "date": "2021-11-17T00:00:00",
        "db": "VULMON",
        "id": "CVE-2021-37580"
      },
      {
        "date": "2022-11-11T05:28:00",
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      },
      {
        "date": "2021-11-17T20:17:30.813000",
        "db": "NVD",
        "id": "CVE-2021-37580"
      },
      {
        "date": "2021-11-25T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Apache\u00a0ShenYu\u00a0Admin\u00a0 Authentication vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2021-015197"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "authorization issue",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202111-1500"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-37580 (GCVE-0-2021-37580)

CNVD-2021-89682

FKIE_CVE-2021-37580

GHSA-VPFP-5GWQ-G533

GSD-2021-37580

VAR-202111-0822

Tags

Sightings

Nomenclature