Описание
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
Ссылки
- Mailing ListPatchThird Party Advisory
- Mailing ListVendor Advisory
- Mailing ListPatchThird Party Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shenyu:2.4.2:*:*:*:*:*:*:*
EPSS
Процентиль: 79%
0.01258
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-1333
CWE-1333
Связанные уязвимости
CVSS3: 7.5
github
больше 3 лет назад
Regular expression denial of service in Apache ShenYu
EPSS
Процентиль: 79%
0.01258
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-1333
CWE-1333