A quick update,
First, the Apache Shiro team wants to thank qianji @ OPPO ZIWU Cyber
Security Lab for reporting the issue responsibly [0]
Second, if you are NOT using Shiro’s Spring Boot Starter
(`shiro-spring-boot-web-starter`), you must configure add the
ShiroRequestMappingConfig auto configuration[1] to your application or
configure the equivalent manually[2].
[0] https://www.apache.org/security/
[1] https://shiro.apache.org/spring-framework.html#SpringFramework-WebConfig
[2]
https://github.com/apache/shiro/blob/shiro-root-1.7.0/support/spring/src/main/java/org/apache/shiro/spring/web/config/ShiroRequestMappingConfig.java#L28-L30
On Fri, Oct 30, 2020 at 1:58 PM wrote:
> The Shiro team is pleased to announce the release of Apache Shiro version
> 1.7.0.
>
> This security release contains 7 fixes since the 1.6.0 release and is
> available for Download now [1].
>
> CVE-2020-17510:
> Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a
> specially crafted HTTP request may cause an authentication bypass.
>
> Release binaries (.jars) are also available through Maven Central and
> source bundles through Apache distribution mirrors.
>
> For more information on Shiro, please read the documentation [2].
>
> -The Apache Shiro Team
>
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/documentation.html
>
> --
> François
> fpa...@apache.org
>
>