[
https://issues.apache.org/jira/browse/GEODE-10449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexander Murmann updated GEODE-10449:
--------------------------------------
Labels: needsTriage (was: )
> Update shiro-core to version 1.12.0 for CVE-2023-34478
> ------------------------------------------------------
>
> Key: GEODE-10449
> URL: https://issues.apache.org/jira/browse/GEODE-10449
> Project: Geode
> Issue Type: Bug
> Affects Versions: 1.15.1
> Reporter: Ankush Mittal
> Priority: Major
> Labels: needsTriage
>
> As per [https://nvd.nist.gov/vuln/detail/CVE-2023-34478] ,
> _"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path
> traversal attack that results in an authentication bypass when used together
> with APIs or other web frameworks that route requests based on non-normalized
> requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+"_
> Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as
> per the CVE.
>
> There is another CVE related to shiro-core 1.9.1,
> [https://nvd.nist.gov/vuln/detail/CVE-2023-22602] ,
> which states
> "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a
> specially crafted HTTP request may cause an authentication bypass. The
> authentication bypass occurs when Shiro and Spring Boot are using different
> pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant
> style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the
> following Spring Boot configuration value:
> `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`"
>
> Fix for the mentioned vulnerabilities seems to be merged in "develop" branch
> via commit
> [https://github.com/apache/geode/commit/d1958146c12affb1fe3eabc5823bb4eeb6c0badc]
> Logging this Jira to update the same in 1.15.1 branch as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
