[ https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-12839: ------------------------------------ Parent: OFBIZ-1525 Issue Type: Sub-task (was: Bug) > [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path > traversal attack > --------------------------------------------------------------------------------------- > > Key: OFBIZ-12839 > URL: https://issues.apache.org/jira/browse/OFBIZ-12839 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: 22.01.01, Upcoming Branch, 18.12.09 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 22.01.01, 18.12.09 > > > Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path > traversal attack that results in an authentication bypass when used together > with APIs or other web frameworks that route requests based on non-normalized > requests. > Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. > Credit: Apache Shiro would like to thank swifty tk for reporting this issue. > -The Apache Shiro Team > Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo] > > jleroux: from the description I'm not sure OFBiz is concerned, anyway better > to be safe than sorry -- This message was sent by Atlassian Jira (v8.20.10#820010)