Platform
java
Component
org.apache.shenyu:shenyu-admin
Fixed in
2.3.1
2.4.1
CVE-2021-37580 is a critical authentication bypass vulnerability discovered in Apache ShenYu Admin. The flawed implementation of JSON Web Token (JWT) handling within ShenyuAdminBootstrap allows attackers to circumvent authentication mechanisms. This vulnerability affects versions up to 2.4.0 and can lead to unauthorized access and potential compromise of the ShenYu Admin interface. A patch is available in version 2.4.1.
This vulnerability presents a significant risk because it allows attackers to bypass authentication entirely. An attacker can craft malicious JWTs to impersonate legitimate users, granting them full administrative access to the ShenYu Admin console. This access could be used to modify configurations, inject malicious code, steal sensitive data, or even compromise the entire ShenYu service mesh. The potential impact is severe, as ShenYu Admin is often used to manage and control critical infrastructure components. Successful exploitation could lead to widespread disruption and data breaches.
This vulnerability is considered highly exploitable due to the ease of crafting malicious JWTs. Public proof-of-concept exploits are likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on November 17, 2021. While no confirmed active exploitation campaigns have been publicly reported, the critical severity and ease of exploitation warrant immediate attention. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
93.99% (100% percentile)
CVSS Vector
The primary mitigation is to upgrade to Apache ShenYu Admin version 2.4.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the JWT nature, strict input validation on all parameters passed to the ShenYu Admin API can help reduce the attack surface. Monitoring JWT signature verification failures in ShenYu logs can provide early detection of potential attacks. After upgrading, confirm the fix by attempting to authenticate with a known valid JWT and verifying that authentication proceeds as expected.
Actualice Apache ShenYu Admin a una versión posterior a la 2.4.0 que haya corregido la vulnerabilidad de autenticación JWT. Consulte las notas de la versión para obtener detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-37580 is a critical vulnerability in Apache ShenYu Admin versions up to 2.4.0 that allows attackers to bypass authentication by exploiting improper JWT handling, potentially granting unauthorized access.
If you are using Apache ShenYu Admin versions 2.3.0 or 2.4.0, you are affected by this vulnerability and should upgrade immediately.
Upgrade to Apache ShenYu Admin version 2.4.1 or later to remediate the vulnerability. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no confirmed active exploitation campaigns have been publicly reported, the critical severity and ease of exploitation warrant immediate attention and proactive mitigation.
Refer to the Apache ShenYu security advisory for detailed information and updates: https://shenyu.apache.org/news/announcements/security/cve-2021-37580/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.