CVE-2022-26650

Summary

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache ShenYu (incubating)unspecified < 2.4.3affected

Weaknesses

  • CWE-1333: CWE-1333 Inefficient Regular Expression Complexity

Workarounds

Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975.

ADP Enrichment

CVE Program Container

Additional References

References