Ok - Thank you all for your help. On a different note; Are there any major design changes between 1.x and 2.x versions? If we go ahead with the 1.9.1+ version, would our application need to go through major rework when upgrading to 2.x?
Thank you, -Mihir. On Thu, Jul 20, 2023 at 5:13 PM <le...@flowlogix.com> wrote: > As Brian said, > According to the link you provided, current Shiro versions do not have any > vulnerabilities. > > The answer to your question (to the best of my understanding) is that all > existing vulnerabilities are now fixed. > > On Jul 20, 2023, at 1:14 PM, Brian Demers <bdem...@apache.org> wrote: > > > For that version, users are expected to update to a newer minor version. > > On Wed, Jul 19, 2023 at 4:43 PM Mihir Chhaya <mihir.chh...@gmail.com> > wrote: > >> Thank you for your response. Following is the link I am referring to for >> the Shiro Vulnerabilities associated with respective versions. >> >> https://mvnrepository.com/artifact/org.apache.shiro/shiro-core >> >> For example - following are reported in version 1.9. >> CVE-2022-40664 >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40664> >> CVE-2022-32532 >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32532> >> >> Thank you, >> -Mihir. >> >> On Wed, Jul 19, 2023 at 1:59 PM <le...@flowlogix.com> wrote: >> >>> Hi, Mihir, >>> >>> I am not quite sure what you are asking. Can you clarify what exact >>> vulnerabilities you are referring to? >>> Perhaps a link or two? >>> >>> Thank you >>> >>> On Jul 18, 2023, at 7:39 AM, Mihir Chhaya <mihir.chh...@gmail.com> >>> wrote: >>> >>> Hello, >>> >>> I see the Authentication bypass vulnerability existing in almost every >>> release of the Apache Shiro. >>> >>> Is there any solution for this? We are evaluating the options to >>> implement the security and not able to decide if these vulnerabilities will >>> ever get resolved. >>> >>> Any suggestions? >>> >>> Thank you, >>> -Mihir. >>> >>> >>> >
