Miggo Logo
Miggo Vulnerability Database
CVE-2022-23223

CVE-2022-23223:
Password exposure in ShenYu

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-23223
GHSA ID
GHSA-7wq4-89xx-g62j
EPSS Score
0.87169%
CWE
CWE-522
Published
1/28/2022
Updated
10/4/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.shenyu:shenyu-commonmaven>= 2.4.0, < 2.4.22.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) The queryDashboardUsers method actively decrypted passwords and included them in responses. 2) The DashboardUserVO class lacked @JsonIgnore on the password field, enabling credential exposure through API serialization. The fix removed password decryption logic, added proper security annotations (@RequiresPermissions), and implemented @JsonIgnore on the password field. The commit diff shows removal of password decryption lines and security annotation additions, confirming this function's central role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On *p**** S**nYu v*rsions *.*.* *n* *.*.*, *n* *n*point *xist** t**t *is*los** t** p*sswor*s o* *ll us*rs. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** `qu*ry**s**o*r*Us*rs` m*t*o* **tiv*ly ***rypt** p*sswor*s *n* in*lu*** t**m in r*spons*s. *) T** `**s**o*r*Us*rVO` *l*ss l**k** @JsonI*nor* on t** p*sswor* *i*l*, *n**lin* *r***nti*l *xposur* t*ro