Back to search
CVE-2022-26650
Published: May 17, 2022
Modified: Aug 3, 2024
PUBLISHED
Description
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache ShenYu (incubating) | affected unspecified - < 2.4.3 |
Weaknesses (CWE)
References
https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673
x_refsource_MISC
[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now