Apache ShenYu 2.4.1 Improper access control

Vulnerability

Apache ShenYu versions 2.4.0 and 2.4.1 improperly allow unauthenticated users to access the /plugin API endpoint. The issue exists because the plugin-related API endpoints were not excluded from the Shiro authentication white list, effectively granting anonymous access to plugin management functionality [1][2].

Exploitation

An attacker with network access to the ShenYu Admin dashboard can exploit this vulnerability by sending HTTP requests to the /plugin API without any authentication token or session. No prior authentication, user interaction, or special privileges are required. The attacker can enumerate plugin endpoints, view plugin details, or potentially modify plugin settings if the API supports write operations [1][4].

Impact

Successful exploitation allows an unauthenticated attacker to read or manipulate plugin configuration data, leading to information disclosure or unauthorized changes in API gateway behavior. This could result in bypassing security controls, redirecting traffic, or disrupting service governance [1][2].

Mitigation

Apache has fixed this issue in a commit that removes the /plugin endpoints from the Shiro white list, requiring authentication for plugin API access [1]. Users should upgrade to ShenYu version 2.4.2 or later, or apply the patch from pull request #2462. No known workarounds other than restricting network access to the admin portal are available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2][4].