Please see below for the amended notice. The prior announcement indicated that releases prior to 0.10.0 were unaffected, which is incorrect. Version 0.8.0 - 0.18.0 included vulnerable shiro versions.
Versions Affected: Aurora 0.8.0 - 0.18.0 Description: The affected versions of the scheduler rely on a version of Apache Shiro which is vulnerable to CVE-2016-4437. Under certain conditions, the vulnerability allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. Mitigation: 0.18.0 and earlier users should upgrade to 0.18.1 or apply this patch https://git-wip-us.apache.org/repos/asf?p=aurora.git;a=commit;h=ec640117 Alternatively, INI configuration mitigations outlined in CVE-2016-4437 may be applied. Credit: This issue was discovered by Greg Harris from the Fitbit Security team.
