[ https://issues.apache.org/jira/browse/GEODE-10449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Murmann updated GEODE-10449: -------------------------------------- Labels: needsTriage (was: ) > Update shiro-core to version 1.12.0 for CVE-2023-34478 > ------------------------------------------------------ > > Key: GEODE-10449 > URL: https://issues.apache.org/jira/browse/GEODE-10449 > Project: Geode > Issue Type: Bug > Affects Versions: 1.15.1 > Reporter: Ankush Mittal > Priority: Major > Labels: needsTriage > > As per [https://nvd.nist.gov/vuln/detail/CVE-2023-34478] , > _"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"_ > Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as > per the CVE. > > There is another CVE related to shiro-core 1.9.1, > [https://nvd.nist.gov/vuln/detail/CVE-2023-22602] , > which states > "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a > specially crafted HTTP request may cause an authentication bypass. The > authentication bypass occurs when Shiro and Spring Boot are using different > pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant > style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the > following Spring Boot configuration value: > `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`" > > Fix for the mentioned vulnerabilities seems to be merged in "develop" branch > via commit > [https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc] > Logging this Jira to update the same in 1.15.1 branch as well. -- This message was sent by Atlassian Jira (v8.20.10#820010)