If I have to fix the vulnerability scanner that’s a price probably worth paying :)
Best, Philip Whitehouse > On 29 Sep 2021, at 16:51, Brian Demers <brian.dem...@gmail.com> wrote: > > I think so, the ASF has been creating a lot of tooling to help improve > CVE reporting process, hopefully the CPE/artifact name can be added to > the report. I'll follow up with the ASF Infra team. > > NOTE: Even if we can add it, some vulns scanners use fuzzy matching, > which causes false positives. (mainly because the Maven artifact > coordinates are not listed in CVEs) > >> On Wed, Sep 29, 2021 at 6:02 AM philip <phi...@whiuk.com> wrote: >> >> Is it practical to look at separating the Spring library from the rest >> of Shiro? >> It seems like we see a fair number of vulnerabilities for the Spring >> code which don't affect other modules / usage. >> >> Best regards, >> >> Philip Whitehouse >> >>> On 2021-09-16 21:19, Brian Demers wrote: >>> Description: >>> >>> Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a >>> specially crafted HTTP request may cause an authentication bypass. >>> >>> Users should update to Apache Shiro 1.8.0. >>> >>> Credit: >>> >>> Apache Shiro would like to thank tsug0d for reporting this issue.
