CVE-2022-26650: Missing Authorization

May 17, 2022 (updated July 12, 2023)

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

References

www.openwall.com/lists/oss-security/2022/05/17/3
lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673
nvd.nist.gov/vuln/detail/CVE-2022-26650

Code Behaviors & Features

Detect and mitigate CVE-2022-26650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →