[jira] [Created] (ZEPPELIN-5948) Update shiro version from 1.10.0 to 1.12.0 due to CVE-2023-34478

youngjin.yang (Jira) Thu, 17 Aug 2023 18:54:09 -0700

youngjin.yang created ZEPPELIN-5948:
---------------------------------------


             Summary: Update shiro version from 1.10.0 to 1.12.0 due to 
CVE-2023-34478
                 Key: ZEPPELIN-5948
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-5948
             Project: Zeppelin
          Issue Type: Improvement
          Components: security
            Reporter: youngjin.yang


Zeppelin is now using shiro 1.10.0 version.

[https://github.com/apache/zeppelin/blob/master/pom.xml#L138]

 

But Apache Shiro said "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be 
susceptible to a path traversal attack that results in an authentication bypass 
when used together with APIs or other web frameworks that route requests based 
on non-normalized requests."

[https://shiro.apache.org/blog/2023/07/18/apache-shiro-1120-released.html]

 

So I request you to update the shiro version for latest Zeppelin.

I saw one PR is already opened, so I don't create new issue.  

[https://github.com/apache/zeppelin/pull/4636]

 

Can you share the plan for updating this version of shiro?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (ZEPPELIN-5948) Update shiro version from 1.10.0 to 1.12.0 due to CVE-2023-34478

Reply via email to