Zhang Yonglun

**Name of the Vulnerable Software and Affected Versions** Apache ShenYu (incubating) versions 2.4.0 through 2.4.2 **Description** The issue arises from the use of `Pattern.matches()` in `RegexPredicateJudge.java`, where both parameters are controllable by the user. This allows an attacker to pass in malicious regular expressions and characters, causing resource exhaustion. **Recommendations** For versions 2.4.0, 2.4.1, and 2.4.2, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider restricting user input for the `conditionData.getParamValue()` and `realData` parameters to prevent malicious regular expressions from being executed.

**Name of the Vulnerable Software and Affected Versions** Apache ShenYu versions 2.4.0 through 2.4.1 **Description** The issue is related to incorrect code generation management, which can be exploited to execute arbitrary code using Groovy Code injection or SpEL injection, leading to Remote Code Execution. This can be done by a remote attacker. **Recommendations** For Apache ShenYu versions 2.4.0 and 2.4.1, consider disabling Groovy Code injection and SpEL injection functionality until a patch is available. Restrict access to the affected components to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache ShenYu versions 2.4.0 through 2.4.1 **Description** The issue is related to missing authentication on ShenYu Admin when registering by HTTP, which can allow a remote attacker to bypass security restrictions. **Recommendations** For Apache ShenYu versions 2.4.0 and 2.4.1, consider disabling the HTTP registration functionality until a patch is available. Restrict access to the ShenYu Admin module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache ShenYu versions 2.4.0 through 2.4.1 **Description** The issue is related to insufficient protection of registration data, allowing a remote attacker to obtain user registration data using a specially crafted HTTP request. This can lead to the disclosure of user passwords. The estimated number of potentially affected devices is not specified. **Recommendations** For Apache ShenYu versions 2.4.0 and 2.4.1, upgrade to version 2.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected endpoint to minimize the risk of exploitation. Avoid using the affected HTTP endpoint until the issue is resolved.