Add credit. Severity: moderate
Description: In ShenYu-Bootstrap there's RegexPredicateJudge.java which uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2. Mitigation: Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975. Credit: Apache ShenYu would like to thank Lai Han of NSFOCUS security team for reporting this issue. -- Zhang Yonglun Apache ShenYu (Incubating) Apache ShardingSphere Zhang Yonglun <zhangyong...@apache.org> 于2022年5月17日周二 13:52写道: > > Severity: moderate > > Description: > > In ShenYu-Bootstrap there's RegexPredicateJudge.java which uses > Pattern.matches(conditionData.getParamValue(), realData) to make > judgments, where both parameters are controllable by the user. This > can cause an attacker pass in malicious regular expressions and > characters causing a resource exhaustion. > This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2. > > Mitigation: > > Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch > https://github.com/apache/incubator-shenyu/pull/2975. > > -- > > Zhang Yonglun > Apache ShenYu (Incubating) > Apache ShardingSphere
