[GEODE-10443] Update shiro-core to version 1.11.0 for CVE-2022-40664 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.15.1
Fix Version/s: None
Component/s: None
Labels:
- needsTriage
- pull-request-available

Description

As per https://nvd.nist.gov/vuln/detail/CVE-2022-40664 ,

"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher."

Geode 1.15.1 bundles version 1.9.1 of shiro-core jar which is vulnerable as per the CVE.

Also although the CVE doesn't include "1.10.0", but since more latest version "1.11.0" is available, logged ticket to bundle the same.

Attachments

Issue Links

links to

GitHub Pull Request #7881

Activity

People

Assignee:: Unassigned

Reporter:: Ankush Mittal

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/Mar/23 10:31

Updated:: 17/Jun/23 16:03