Re: Password leakage in Apache Shenyu

[Mark J Cox <mj...@apache.org>]

Hi, was this a security issue?  If so we should allocate a CVE name and
follow https://s.apache.org/cveprocess

Regards, Mark J Cox
ASF Security


On Wed, Nov 24, 2021 at 7:17 AM XiaoYu <xi...@apache.org> wrote:

> Hi gregory andsecurity team
>
> First of all, thank you very much for your help.
> This problem, we have completely fixed and In the next released:
> https://github.com/apache/incubator-shenyu/pull/2357
> <https://github.com/apache/incubator-shenyu/pull/2357>
>
> Regards xiaoyu
>
> Apache Security Team <se...@apache.org> 于2021年11月23日周二 下午5:23写道：
>
>> Please note that when you send mail to dev@shenyu it becomes public
>> immediately.  This is not the correct way to report a security issue.
>> Please see https://apache.org/security/ for the correct way to report
>> possible security issues.
>>
>> Regards, Mark
>>
>> On Tue, Nov 23, 2021 at 9:20 AM gregory draperi <
>> gregory.draperi@gmail.com> wrote:
>>
>>> Dear Developers of Apache Shenyu,
>>>
>>> I am reaching you as I was reviewing your application and there is a
>>> password leakage in the application.
>>>
>>> It means that when a user will request the following URL
>>> "dashboardUser?currentPage=1&pageSize=12", the response will disclose all
>>> the passswords of the users.
>>>
>>> [image: image.png]
>>>
>>> It is not critical as you need to be authenticated but still it is a bad
>>> practice.
>>>
>>> I have attached a Python script to reproduce the issue. You need to set
>>> the information (host, username & password) use it.
>>>
>>> Feel free to reach me should you have questions.
>>>
>>> Regards,
>>>
>>> Gregory
>>> --
>>> Grégory Draperi
>>>
>>