Hi gregory andsecurity team First of all, thank you very much for your help. This problem, we have completely fixed and In the next released: https://github.com/apache/incubator-shenyu/pull/2357 <https://github.com/apache/incubator-shenyu/pull/2357>
Regards xiaoyu Apache Security Team <[email protected]> 于2021年11月23日周二 下午5:23写道: > Please note that when you send mail to dev@shenyu it becomes public > immediately. This is not the correct way to report a security issue. > Please see https://apache.org/security/ for the correct way to report > possible security issues. > > Regards, Mark > > On Tue, Nov 23, 2021 at 9:20 AM gregory draperi <[email protected]> > wrote: > >> Dear Developers of Apache Shenyu, >> >> I am reaching you as I was reviewing your application and there is a >> password leakage in the application. >> >> It means that when a user will request the following URL >> "dashboardUser?currentPage=1&pageSize=12", the response will disclose all >> the passswords of the users. >> >> [image: image.png] >> >> It is not critical as you need to be authenticated but still it is a bad >> practice. >> >> I have attached a Python script to reproduce the issue. You need to set >> the information (host, username & password) use it. >> >> Feel free to reach me should you have questions. >> >> Regards, >> >> Gregory >> -- >> Grégory Draperi >> >
