Please note that when you send mail to dev@shenyu it becomes public immediately. This is not the correct way to report a security issue. Please see https://apache.org/security/ for the correct way to report possible security issues.
Regards, Mark On Tue, Nov 23, 2021 at 9:20 AM gregory draperi <gregory.drap...@gmail.com> wrote: > Dear Developers of Apache Shenyu, > > I am reaching you as I was reviewing your application and there is a > password leakage in the application. > > It means that when a user will request the following URL > "dashboardUser?currentPage=1&pageSize=12", the response will disclose all > the passswords of the users. > > [image: image.png] > > It is not critical as you need to be authenticated but still it is a bad > practice. > > I have attached a Python script to reproduce the issue. You need to set > the information (host, username & password) use it. > > Feel free to reach me should you have questions. > > Regards, > > Gregory > -- > Grégory Draperi >