CVE-2022-23944: Apache ShenYu (incubating) Improper access control:
Severity: Moderate
Description: User can access /Plugin API without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1. Everybody can access /plugin API which will list the details of all plugins include id, name, config (may include password). We can also add a new plugin with POST method while using /plugin API.
Mitigation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch.
Reference links: