A quick update, First, the Apache Shiro team wants to thank qianji @ OPPO ZIWU Cyber Security Lab for reporting the issue responsibly [0]
Second, if you are NOT using Shiro’s Spring Boot Starter (`shiro-spring-boot-web-starter`), you must configure add the ShiroRequestMappingConfig auto configuration[1] to your application or configure the equivalent manually[2]. [0] https://www.apache.org/security/ [1] https://shiro.apache.org/spring-framework.html#SpringFramework-WebConfig [2] https://github.com/apache/shiro/blob/shiro-root-1.7.0/support/spring/src/main/java/org/apache/shiro/spring/web/config/ShiroRequestMappingConfig.java#L28-L30 On Fri, Oct 30, 2020 at 1:58 PM <[email protected]> wrote: > The Shiro team is pleased to announce the release of Apache Shiro version > 1.7.0. > > This security release contains 7 fixes since the 1.6.0 release and is > available for Download now [1]. > > CVE-2020-17510: > Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a > specially crafted HTTP request may cause an authentication bypass. > > Release binaries (.jars) are also available through Maven Central and > source bundles through Apache distribution mirrors. > > For more information on Shiro, please read the documentation [2]. > > -The Apache Shiro Team > > [1] http://shiro.apache.org/download.html > [2] http://shiro.apache.org/documentation.html > > -- > François > [email protected] > >
