[
https://issues.apache.org/jira/browse/SHIRO-878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518621#comment-17518621
]
Benjamin Marwell commented on SHIRO-878:
----------------------------------------
Hi [~boyqian], we do not have a *direct* vulnerability, because we only use
this as a provided/optional dependency.
You application will always overwrite the version from Shiro. Thus, apps using
Shiro should not be affected when using proper dependencyManagement:
References:
*
https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html
*
https://stackoverflow.com/questions/2619598/differences-between-dependencymanagement-and-dependencies-in-maven
> Update Spring Dependencies to 5.2.20
> ------------------------------------
>
> Key: SHIRO-878
> URL: https://issues.apache.org/jira/browse/SHIRO-878
> Project: Shiro
> Issue Type: Dependency upgrade
> Components: Integration: Spring
> Reporter: Benjamin Marwell
> Assignee: Les Hazlewood
> Priority: Major
> Fix For: 2.0.0, 1.9.1
>
>
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
