[
https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17745972#comment-17745972
]
ASF subversion and git services commented on OFBIZ-12839:
---------------------------------------------------------
Commit 3d34f5be1ee0ce27eb3cc029baa961acf160dbbe in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=3d34f5be1e ]
Fixed: [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path
traversal attack (OFBIZ-12839)
See https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo for details
> [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path
> traversal attack
> ---------------------------------------------------------------------------------------
>
> Key: OFBIZ-12839
> URL: https://issues.apache.org/jira/browse/OFBIZ-12839
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: 22.01.01, Upcoming Branch, 18.12.09
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 22.01.01, 18.12.09
>
>
> Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path
> traversal attack that results in an authentication bypass when used together
> with APIs or other web frameworks that route requests based on non-normalized
> requests.
> Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+.
> Credit: Apache Shiro would like to thank swifty tk for reporting this issue.
> -The Apache Shiro Team
> Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo]
>
> jleroux: from the description I'm not sure OFBiz is concerned, anyway better
> to be safe than sorry
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
