CVE-2022-26650

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
References
Link Resource
http://www.openwall.com/lists/oss-security/2022/05/17/3 Mailing List Patch Third Party Advisory
https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673 Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:shenyu:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:shenyu:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:shenyu:2.4.2:*:*:*:*:*:*:*

History

11 Jul 2023, 14:33

Type Values Removed Values Added
CWE CWE-862 CWE-1333

Information

Published : 2022-05-17 08:15

Updated : 2024-02-28 19:09


NVD link : CVE-2022-26650

Mitre link : CVE-2022-26650

CVE.ORG link : CVE-2022-26650


JSON object : View

Products Affected

apache

  • shenyu
CWE
CWE-1333

Inefficient Regular Expression Complexity