Severity: moderate Description:
Any user can access /plugin API without authentication. The project use Shiro to authenticate, but the default WhiteLists are defineded in application include /plugin path. So everybody can access /plugin API which will list the details of all plugins include id, name, config (may include password). We can also add a new plugin with POST method while using /plugin API. This issue affects Apache ShenYu (incubating) 2.4.0 and 2.4.1. Mitigation: Upgrade to Apache ShenYu (incubating) 2.4.2 or apply patch https://github.com/apache/incubator-shenyu/pull/2462. -- Zhang Yonglun Apache ShenYu (Incubating) Apache ShardingSphere
