VYPR
← All advisories
High severityNVD Advisory· Published Sep 1, 2022· Updated Aug 3, 2024

Apache ShenYu Admin Improper Privilege Management

CVE-2022-37435

Description

Apache ShenYu Admin 2.4.2 and 2.4.3 allow low-privilege administrators to escalate privileges by modifying high-privilege user passwords due to insecure permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache ShenYu Admin 2.4.2 and 2.4.3 allow low-privilege administrators to escalate privileges by modifying high-privilege user passwords due to insecure permissions.

Vulnerability

Overview

Apache ShenYu Admin versions 2.4.2 and 2.4.3 contain an insecure permissions vulnerability that allows low-privilege administrators to modify the passwords of high-privilege administrators [1]. The root cause is insufficient access control checks in the admin interface, which fails to enforce proper authorization when processing password change requests [3].

Exploitation

An attacker with a low-privilege admin account can exploit this flaw by sending a crafted request to the password modification endpoint, targeting a high-privilege user. No additional authentication or network position is required beyond having a valid low-privilege session [1]. The vulnerability is present in the admin module's user management functionality [3].

Impact

Successful exploitation allows a low-privilege administrator to gain full administrative control by changing the password of a high-privilege account. This can lead to complete compromise of the ShenYu gateway, including modification of routing rules, plugin configurations, and access to sensitive data [1].

Mitigation

The issue is fixed in Apache ShenYu version 2.5.0 [2]. Users running versions 2.4.2 or 2.4.3 should upgrade immediately. No workarounds are documented; upgrading is the recommended action [1][2].

References
  1. NVD - CVE-2022-37435
  2. Release v2.5.0 · apache/shenyu
  3. #3657 Fix Admin have insecure permissions by nuo-promise · Pull Request #3658 · apache/shenyu

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.shenyu:shenyu-commonMaven
>= 2.4.2, < 2.5.02.5.0

Affected products

2

Patches

1
f9c56889dcd9

#3657 Fix Admin have insecure permissions (#3658)

https://github.com/apache/shenyunuo-promiseJul 29, 2022via ghsa-ref
commitPR #3658
2 files changed · +14 0
  • shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/DashboardUserController.java+10 0 modified
    @@ -20,6 +20,7 @@
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shenyu.admin.mapper.DashboardUserMapper;
+import org.apache.shenyu.admin.model.custom.UserInfo;
 import org.apache.shenyu.admin.model.dto.DashboardUserDTO;
 import org.apache.shenyu.admin.model.page.CommonPager;
 import org.apache.shenyu.admin.model.page.PageParameter;
@@ -32,6 +33,7 @@
 import org.apache.shenyu.admin.utils.ShenyuResultMessage;
 import org.apache.shenyu.admin.validation.annotation.Existed;
 import org.apache.shenyu.common.utils.ShaUtils;
+import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -50,6 +52,7 @@
 import javax.validation.constraints.NotNull;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -158,6 +161,13 @@ public ShenyuAdminResult modifyPassword(@PathVariable("id")
                                             @Existed(provider = DashboardUserMapper.class,
                                                     message = "user is not found") final String id,
                                             @Valid @RequestBody final DashboardUserDTO dashboardUserDTO) {
+        UserInfo userInfo = (UserInfo) SecurityUtils.getSubject().getPrincipal();
+        if (Objects.isNull(userInfo)) {
+            return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_USER_LOGIN_ERROR);
+        }
+        if (!userInfo.getUserId().equals(id) && !userInfo.getUserName().equals(dashboardUserDTO.getUserName())) {
+            return ShenyuAdminResult.error(ShenyuResultMessage.DASHBOARD_MODIFY_PASSWORD_ERROR);
+        }
         return updateDashboardUser(id, dashboardUserDTO);
     }
  • shenyu-admin/src/main/java/org/apache/shenyu/admin/utils/ShenyuResultMessage.java+4 0 modified
    @@ -46,8 +46,12 @@ public final class ShenyuResultMessage {
 
     public static final String ROLE_CREATE_ERROR = "can not create super role";
 
+    public static final String DASHBOARD_USER_LOGIN_ERROR = "user not login please login first";
+
     public static final String DASHBOARD_QUERY_ERROR = "user info is empty";
 
+    public static final String DASHBOARD_MODIFY_PASSWORD_ERROR = "can not modify other user password";
+
     public static final String DASHBOARD_CREATE_USER_ERROR = "empty user info, please confirm";
 
     public static final String PLATFORM_LOGIN_SUCCESS = "login dashboard user success";

Vulnerability mechanics

Root cause

"Missing authorization check in the password modification endpoint allows a low-privilege administrator to change another user's password without verifying ownership."

Attack vector

An attacker who has authenticated as a low-privilege dashboard user can call the `modifyPassword` endpoint with an `id` parameter belonging to a high-privilege administrator (e.g., the super admin). The original code did not verify that the authenticated user owns the target account, so the request succeeds and overwrites the target's password. The attacker then logs in as the high-privilege user with the newly set password. The only precondition is a valid low-privilege session; no special network position is required beyond reachability of the ShenYu Admin API.

Affected code

The vulnerability resides in `DashboardUserController.java` in the `modifyPassword` method. Before the patch, the method called `updateDashboardUser(id, dashboardUserDTO)` without verifying that the authenticated user matches the target user identified by the `id` path variable.

What the fix does

The patch adds an identity check inside `modifyPassword` in `DashboardUserController.java` [patch_id=1641396]. After retrieving the currently authenticated user via `SecurityUtils.getSubject().getPrincipal()`, it compares both the user ID and the username from the request against the logged-in user's identity. If neither matches, the request is rejected with the new error message `"can not modify other user password"`. This ensures that a user can only change the password for their own account, closing the privilege escalation vector.

Preconditions

  • authAttacker must have a valid low-privilege dashboard user session (any authenticated account).
  • networkAttacker must be able to reach the ShenYu Admin HTTP API endpoint for password modification.
  • inputAttacker must know or guess the user ID of a higher-privilege target account.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.