[jira] [Updated] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack

Jacques Le Roux (Jira) Sat, 22 Jul 2023 11:15:13 -0700


     [ 
https://issues.apache.org/jira/browse/OFBIZ-12839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jacques Le Roux updated OFBIZ-12839:
------------------------------------
        Parent: OFBIZ-1525
    Issue Type: Sub-task  (was: Bug)

> [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path 
> traversal attack
> ---------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12839
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12839
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: 22.01.01, Upcoming Branch, 18.12.09
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 22.01.01, 18.12.09
>
>
> Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path 
> traversal attack that results in an authentication bypass when used together 
> with APIs or other web frameworks that route requests based on non-normalized 
> requests. 
> Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+. 
> Credit: Apache Shiro would like to thank swifty tk for reporting this issue. 
> -The Apache Shiro Team 
> Also at [https://lists.apache.org/thread/jowcs5nd4tz5fxwl1mqkqnvyrwwx59qo]
>  
> jleroux: from the description I'm not sure OFBiz is concerned, anyway better 
> to be safe than sorry



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (OFBIZ-12839) [CVE-2023-34478] Apache Shiro, before 1.12.0, is susceptible to a path traversal attack

Reply via email to