Hi, was this a security issue? If so we should allocate a CVE name and follow https://s.apache.org/cveprocess
Regards, Mark J Cox ASF Security On Wed, Nov 24, 2021 at 7:17 AM XiaoYu <[email protected]> wrote: > Hi gregory andsecurity team > > First of all, thank you very much for your help. > This problem, we have completely fixed and In the next released: > https://github.com/apache/incubator-shenyu/pull/2357 > <https://github.com/apache/incubator-shenyu/pull/2357> > > Regards xiaoyu > > Apache Security Team <[email protected]> 于2021年11月23日周二 下午5:23写道: > >> Please note that when you send mail to dev@shenyu it becomes public >> immediately. This is not the correct way to report a security issue. >> Please see https://apache.org/security/ for the correct way to report >> possible security issues. >> >> Regards, Mark >> >> On Tue, Nov 23, 2021 at 9:20 AM gregory draperi < >> [email protected]> wrote: >> >>> Dear Developers of Apache Shenyu, >>> >>> I am reaching you as I was reviewing your application and there is a >>> password leakage in the application. >>> >>> It means that when a user will request the following URL >>> "dashboardUser?currentPage=1&pageSize=12", the response will disclose all >>> the passswords of the users. >>> >>> [image: image.png] >>> >>> It is not critical as you need to be authenticated but still it is a bad >>> practice. >>> >>> I have attached a Python script to reproduce the issue. You need to set >>> the information (host, username & password) use it. >>> >>> Feel free to reach me should you have questions. >>> >>> Regards, >>> >>> Gregory >>> -- >>> Grégory Draperi >>> >>
