CVE-2021-37580 — Improper Authentication in Apache ShenYu Admin

Description

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0.

How to fix CVE-2021-37580

To remediate CVE-2021-37580, upgrade the affected package to a fixed version below.

Maven/org.apache.shenyu:shenyu-admin—upgrade to 2.4.1 or later

Is CVE-2021-37580 being exploited?

Likely — EPSS is 94.0%, placing CVE-2021-37580 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.3.0, < 2.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-37580
PATCHgithub.com/apache/shenyu
WEBgithub.com/apache/shenyu/commit/f78adb26926ba53b4ec5c21f2cf7e931461d601d
WEBgithub.com/apache/shenyu/releases/tag/v2.4.1
WEB